I’ve read a number of posts about how one should never, EVER keep client login credentials. Personally, on at least several clients, I’ve broken this rule.
The reason I broke this rule is that in the beginning I realized how unorganized clients were, and 9 out to 10 times they never kept their passwords handy so we had to reset them every time. But over time I’m realizing that I have quite a few in one place if anyone ever got a hold of it, they could do some harm.
I’ve since moved everything to local files that have their own passwords. The only problem here is if I’m out and about and I end up needing the information, I can’t access it. I then thought maybe I would store that protected file in a my dropbox account that has 2 step verification. So then at least 3 layers of security need to be breached to get to it.
At the end of the day though, I still end up with usernames and passwords.
So I’m curious how other people handle this. Is the best practice to suck it up and make clients store their own information? Or are there some all-but-foolproof methods that I’m not thinking of?
I think Dropbox is a safe approach. I mean, there’s always a way to breach security, right? So another thing you could do is put the login credentials in a password protected zip file. Or put the credentials on a external Hard Drive and hide the zip folder.
I keep login information & FTP details but they’re encrypted and password protected. Ultimately, someone has to have them, the amount of times customers forget or need them out of the blue they need to be at hand.
Just don’t leave them sitting in an unprotected document called “CUSTOMER PASSWORDS”.
I was eyeballing a service called Boxcryptor that encrypts files within cloud storage platforms like Dropbox.
I moved them all to a Numbers file which had it’s own password inside of Dropbox. My one thought was to access them through Numbers on iOS but found later that if you download a password protected file through iOS Numbers, it strips the password. So that leaves me with needing to do it on my laptop and my phone isn’t a viable option if I want to keep it all squeaky clean :)
I make it **very** clear to clients that they are responsible for their own passwords.
With website logins (i.e., the site I’m building for them), I keep this rule – I require them to choose their own password via a setup script, and I never even know their password in the first place. If they forget it, they can use their password recovery page (which is beautifully designed and may have never been appreciated otherwise).
With administrative logins (FTP, hosting, etc.) I encourage them to give me a dedicated user/pass. Of course, most don’t, but, “whatever.”
I still say I won’t keep track of it for them, but of course, I keep track of it for myself, and I’ve given reminders when clients forgot. It stays on my local machine (and local backup), however. It’s never stored in [accessible from] the cloud. I’ve never found that limitation to be an inconvenience.
@traq I work in a pretty mobile way – between 2 offices, my home office and then if I’m actually at a client’s business. Plus I try to spend as much time with the wife and kids, so having something local on one of the machines probably isn’t going to work. The reason I have 2 offices is I have my main office plus I work long term with a company so I’m there a good 10-15 hours a week.
What I didn’t want to have happen is my laptop get stolen and have a local file that contained all the usernames/passwords. Too many people have the same username and password to their banking and stuff like that.
@ChistopherBurton interesting! I’m curious what they come up with.
Yeah, I know there are many, far more “mobile” people than me. And I completely agree about not carrying an open file around on a laptop. Encryption might help you there.
If I were to store such information remotely, I’d put it on a machine I own (or at least control), where the only access would be via ssh. I avoid things like Dropbox – I don’t trust them – but I’ll admit that it’s mostly a personal aversion.