By Nicole Nguyen
June 11, 2023
Sharing is caring. But sharing passwords is…a major security risk.
1Password
Since we inevitably do it anyway—like when your kid asks for the Disney+ login or when your spouse needs access to the grocery-delivery account—I asked experts on identity theft and cybercrime if there are safe ways.
Netflix estimated that roughly 100 million people are using the streaming platform with someone else’s password, which is against the company’s terms of service. The service recently cracked down on the practice after turning a blind eye to rule breakers for years.
But sharing isn’t just for account moochers. I often help less tech-savvy loved ones with app troubleshooting remotely. I also need to share online logins for utilities and other joint accounts with my husband.
The experts said password sharing is generally a bad idea. Your digital security is only as strong as your weakest link, and if that link is a former roommate’s cousin, you could be in trouble. If you reuse passwords, the people you share with can easily get into your other accounts. And even if you have unique passwords for every service, your sharing buddy could get hacked. But there are ways to share more responsibly and securely, if you focus on three main risks factors:
• What login details you send
• How you send them
• Whom you send them to
Here’s how to think through which passwords you can share in a safe way, and which ones you should never share.
Limit the WHAT
Not all accounts expose you equally.
“Email is the most risky,” said Zulfikar Ramzan, chief scientist at Aura, an identity-theft protection service. Email can be used to reset other account passwords of yours, so you should keep it to yourself. The same goes for your phone’s passcode, as we explained in our recent investigation.
Financial accounts are also not something you should share, said Ramzan. “As you get further down the stack, it gets less critical,” he added.
Look at what’s visible in the account’s setting page before you share. Are credit-card or bank-account details available?
And never share a password that’s used across multiple accounts. If you need to share a password, consider making up a new one for that purpose. Password managers can help you create and store strong, unique passwords for each account.
Consider the HOW
“Using email or SMS is the equivalent of sending a postcard,” said Ramzan, “and you wouldn’t put something sensitive on a postcard.”
Those communication methods generally aren’t encrypted end-to-end, so they’re easier for criminals to snoop. Your cell carrier has access to all of your regular texts. Better bets would be Apple’s iMessage (blue bubbles) or WhatsApp, where messages are encrypted and inaccessible to the companies that operate them.
Password managers, which include tools for sharing passwords, are even safer, Ramzan said. They employ what’s called “zero-knowledge” security. In other words, the manager can never read your data—only you have access with your master password.
Scrutinize the WHO
It might seem obvious, but only share credentials with trusted parties. And if your relationship with someone changes…so should any shared passwords.
Even someone you know well could pass on a vulnerability by clicking on malicious links or downloading malware, said Trevor Hilligoss, director of security research at cybercrime analytics firm SpyCloud. If your password is stolen through such an attack, your account could be compromised.
A good approach is to share the password for a limited time, by changing it after a set period. “Set a reminder on your phone and change your password in two weeks,” Hilligoss said. For some services, such as Netflix, Spotify and Disney+, you can boot off moochers.
Share encrypted logins
Most password managers have login-sharing tools. In 1Password, you can share copies of any items in your vault. 1Password will create a link you can send to anyone. You can set the link to expire after a set period, between one hour and 30 days. Dashlane users can share saved items with other Dashlane users. You can always click on the item in your vault to revoke access.
On an iPhone, iPad or Mac, you can share a password from iCloud Keychain with a contact through AirDrop. Apple just announced that its iOS 17 software update, expected this fall, will support sharing multiple passwords, two-factor verification codes and passkeys stored in iCloud Keychain. Your trusted contacts must have iPhones, and you can sort them into groups.
Use family plans
Most streaming services require account sharers to be in the same household—that is, living at the same address. According to those terms, a kid away at college using a parent’s account would technically break the rules.
But many family plans don’t require you to live under the same roof. Better yet, they allow you to split subscription benefits without having to share a password. Even in your home, with your own kids, this is a smarter approach. Major family-plan offerings include Amazon Household with two adults, Apple One with up to six people, Google One for up to six people and Steam Games for up to five people across 10 devices. Uber now offers family profiles that include teenagers.
Set up a legacy contact
Giving access to your online accounts in case you die or become incapacitated is tricky but imperative. Google lets you designate a contact if your account goes inactive. And Apple offers you a legacy contact to collect your account if you die.
Some people give their password list to a law office or bank safe deposit to hold.
For sharing that all-important login for your password manager, Hilligoss proposed a high-security, low-tech solution: “Write your master password down on a Post-it note and stick it in a safe, or somewhere physical, where malware can’t get to it.”
—For more WSJ Technology analysis, reviews, advice and headlines, .
Write to Nicole Nguyen at nicole.nguyen@wsj.com
Dow Jones & Company, Inc.
