States and governments are constantly introducing privacy laws that mirror the notable European GDPR and California's CCPA. Security and privacy must be a high priority for agencies handling data (like client social media passwords).
Not only to comply with laws and respect people's privacy but also as a business strategy.
If your company earns a reputation for password mismanagement and causing leaks or data breaches, you'll battle to find anyone who wants to work with you!
Secure password management doesn't have to be expensive or disrupt workflows. TeamPassword is an affordable password manager designed for small businesses, startups, and agencies. Sign up for a 14-day free trial to experience the ease and efficiency of robust password security with TeamPassword.
The Importance of Onboarding Clients Safely
Firstly, violating GDPR, CCPA, and other State regulations could result in hefty fines. In Europe, under GDPR, the maximum penalty is £20 million or 4% of annual turnover. Google, British Airways, H&M, and Marriot have all learned this the hard way—each receiving fines over €10,000,000.
CCPA punishes California-based organizations similarly to GDPR and can take action against companies outside of California and the United States for data violations against its citizens. Virginia, New York, Massachusetts, Maryland, and Hawaii are working on similar data privacy laws with severe fines and penalties.
While most agencies don't operate anywhere near the turnover of the multinationals mentioned above, a relative fine will still hurt cash flow and your brand's reputation.
A secure and professional onboarding experience will not only ensure you comply with legislation, but it'll impress your clients and build trust. If your customers know they're in safe hands, then they're less likely to look elsewhere.
Examples of Poor Onboarding Practices & Associated Risks
When agencies onboard new clients, they typically require access to social media accounts and any tools—social media management, analytics, research, etc. This access means clients need to share their passwords with your company.
Here are some of the ways agencies onboard clients, the associated risks, and why you should avoid using them.
Email is a common way for clients and agencies to share passwords. It's also one of the most dangerous!
If someone breaches an employee or client's device, all they have to do is search your email using keywords like "password" or "Instagram password," and the relevant emails will appear. Even if you delete the emails, they usually stay in your deleted folder for 30 days.
It's also very easy to share emails, and you have no control over where employees, contractors, or freelancers forward these passwords—even if it's a mistake!
Like email, spreadsheets are easy to copy and share. They're also simple for hackers to find when they breach a device.
Spreadsheets are particularly bad for sharing passwords because you generally store multiple credentials in one place—making it easy to steal an entire asset list. Worse still, if you keep all your client's credentials in one spreadsheet under multiple tabs!
The biggest issue with spreadsheets is that you can't segment access without creating multiple spreadsheets, which can become confusing if you deal with many clients and teams.
Text & Messaging Apps
Another common way people share passwords is via text or messaging apps like Facebook Messenger, WhatsApp, Slack, and others. This method exposes similar vulnerabilities to email and spreadsheets where you have no control over unauthorized sharing. You also have to worry about team members losing their devices!
Many of these apps store your messages on a server, which means they're vulnerable to data breaches—which happen more often than you think!
Another way agencies onboard clients and capture data like passwords is by using forms. A little more secure than other methods, but where do those submissions go? And how do you store and share the passwords once you receive them?
Form submissions often end up in email inboxes, which defeats the point of "securely transferring" data from your clients.
The most significant risk with these four onboarding methods is that employees use and share raw credentials. If you're sharing passwords with freelancers, then that's even more problematic!
How to Build Trust and Onboard Clients Securely
So, how do you receive data like client social media passwords securely? And how do your store and share credentials with coworkers safely?
With TeamPassword, you can capture client social media passwords and share those credentials with your teams. Here's how...
First, create a TeamPassword group for your client.
- If you haven't already, sign up for a TeamPassword account. It's free to try for 14 days—no credit card required.
- Navigate to your account profile under Manage Teams.
- Click Groups and Add a Group.
- Use your client's name for the group and click Save Changes.
Now, to onboard your client and ask them to enter their passwords directly into TeamPassword's password manager. It's like filling out a form, and TeamPassword's minimalist UI makes it easy to navigate and enter the required information.
- Under People, click Invite Your Team.
- Enter your client's email address, set the Permission level to Member. Under Add to groups (optional): check the box next to your client's name and click Send Invitation.
- Your client will receive an invite to join your TeamPassword account. They accept the invite by following the email link and creating a username and password. TeamPassword also allows people to sign in using Google.
- On the dashboard, your client clicks the blue and white + button to add a new password.
- Under Name, they enter an obvious identifier, like Acme Co - Twitter, if the password is for their Twitter account.
- Login URL: the URL where you log in. If they're not sure, ask them to enter the site's URL, for example, twitter.com—one of your team can correct this later.
- The Username and Password fields should be self-explanatory. Tell your client not to click Generate as this will create a new password!
- Notes: they can use this field to add any additional instructions.
- Share with: your client should check your company name (not Only Me (Private))
- When they click your company name, a second box will appear where your client needs to check their name and not Everyone at (Your Company).
- Lastly, they click Save, the password saves to your account and immediately appears on your TeamPassword dashboard.
Your client repeats steps 4 to 11 for all of their passwords, and you have securely captured their data without exposing credentials.
As the account owner, you can edit your client's credentials to correct any onboarding errors.
We highly recommend resetting all of your client's passwords to ensure they're strong and every account has unique credentials. Your client can view the new credentials and use TeamPassword's browser extensions or mobile app to continue to log in to their accounts.
It's a good idea to share an instructional video (using Loom or similar) or provide live onboarding to guide them through the process.
If your client isn't using a password manager, encourage them to sign up for TeamPassword to securely store and share all of their company credentials.
Common Password Security Risks
Here are the top five mistakes companies make when sharing passwords with teams.
- Creating Weak Passwords: weak passwords make it easy for attackers to breach your digital assets. Never use your company/platform (like Instagram or Twitter) name, sequential numbers (123), and other easy-to-guess personal/company information. TeamPassword features a built-in password generator, so teams always create strong, random passwords with uppercase, lowercase, numbers, and symbols.
- Storing Passwords in Plaintext: plaintext includes emails, digital note pads, spreadsheets, messaging apps. TeamPassword uses AES 256-Bit encryption to store your passwords. We hash, salt, and encrypt data locally on your computer before uploading them to our servers. Not even TeamPassword employees can view your passwords!
- Reusing Passwords: reusing passwords exposes you to credential stuffing attacks where hackers use the same credentials to access other accounts using the same username and password combination. With TeamPassword's password generator, you can create unique credentials for every account.
- Memorable Passwords: we often create passwords using memorable words or phrases, like pets/family names, street addresses, mobile numbers, etc. Hackers know this! With some social media research, criminals can gather "keywords" about your life and add them to password-cracking algorithms to perform what's called a dictionary attack—a highly focused brute force attack where algorithms try username and password combinations until they find a match.
- Changing Passwords Frequently: if you're not using a password manager or password generator, changing passwords too frequently could expose vulnerabilities. Employees tend to develop password-creation patterns which hackers can use to guess your credentials or refine algorithms for a dictionary attack.
When you're working with high-value clients, these sorts of password attacks are not out of the realm of possibility! Make sure you always use a password manager to keep your client's social media passwords and other digital assets safe from attack!