As agencies, we often receive and have our clients’ credentials for all sorts of sites — email-automation application, FTP servers, hosting accounts, social media accounts, and more — but do you provide your client with adequate protection, including how you receive it and how you share it internally? I bet not.
Agencies are rarely able to focus on the solitary task of architecting email campaigns; a good multi-touch campaign will have social media, press announcements, landing pages, web pages, microsites, shopping cart pages, and more. If that is a typical effort, we must gather, store, access, share, update, change, and protect our client user names and passwords for:
Some of these are extremely sensitive sites representing great potential financial exposure to the client. Yet, it’s common for the client to email their log in credentials with not so much as a second thought.
We need to invest in education — internally and externally.
I asked a client today for their PayPal credentials so we could configure their payment gateway and requested the user name by email and the password by text to my phone. I received both the user name and password in the same email and the password was — I kid you not — her first name. I wrote back and asked her to log in immediately, change the password to something VERY hard, and resend via TEXT. I explained the financial-loss risk associated with emailing passwords to sites such as this, which has direct access to the company’s bank accounts.
She texted me the new password a few minutes later. Her first name followed by 1234. What’s worse, it’s the same password she was using at all of the company and her personal social-media accounts, the company hosting account, and the company main email.
I could only sigh, log in, and change the password myself; which I did, and then texted it to the business owner.
In a conversation about this with my 30-year-old son (yes, a gamer/hacker), he pointed out to me this is an issue of semantics. My client’s understanding of a difficult password and my understanding differed (substantially), and thus when I requested a difficult password, she believed adding 1234 created sufficient security.
Many hackers make no attempt to guess passwords. They go the easy route of grabbing your password during a security breach. Think back to recent news when Adobe servers were hacked and millions of email addresses and matching passwords were stolen. If your client is (or you are) using that same email address and password for accessing other accounts, then the hackers who attacked Adobe may well now have access to your bank account, your credit cards, and so much more.
When we ask our clients for their credentials and do not enable them to provide this to us securely — and compound the problem by forwarding those unsecure emails to our team — we increase the risk to and potential losses of our clients.
Here are some ideas for helping your clients protect themselves: