Access refined: Securely store your newsroom’s passwords

Twitter. Instagram. Storify. Pinterest. Bitly.

For editors, publishing and sharing the news often involves a frantic and time-consuming search for the right username and password. Was it written on an spreadsheet or squirreled away in a desk somewhere? Where did that sticky note go?

Worse yet, the litany of passwords each editor is supposed to remember makes the prospect of using the same codes for multiple accounts tempting. And harried editors usually have more urgent business than chasing down passwords, which can make consolidating them all on an easy-to-steal spreadsheet tempting.

But newsrooms searching for an easy solution for their password problems don’t have to look far. There are several inexpensive and easy-to-use password managers designed specifically for small teams who each need access to different accounts.

The Texas Tribune, a non-profit newsroom in Austin, Texas has about 20 passwords for its social media accounts alone, said Rodney Gibbs, the Tribune’s chief innovation officer, in a telephone interview. Counting the different codes used for other accounts brings the total password count to 250. To keep track of them, the Tribune’s editors use a service called Passpack that enables them to grant access to different accounts without revealing their passwords.

Although there has been some resistance to the service in the newsroom, it has ultimately saved the editors time they otherwise would’ve spent chasing down login information, Gibbs said.

“We were wasting a lot of time before when people were emailing or Google chatting, saying, ‘what’s the password for this, or what’s the password for that?’” Gibbs said. “In addition to being more secure, it saves time along the way.”

Passpack also allows editors to remotely revoke access to accounts when reporters leave the newsroom or change jobs, so turnover isn’t a security problem. And because all of the login information is consolidated under one account, the editors don’t rely on institutional memory.

The downside to Passpack is that it requires everyone to sign in with a password. This can leave the newsroom vulnerable to phishing emails, phony messages that lure the reader into accidently giving away their login credentials.

There are other options for newsrooms that are looking to decrease their chances of being phished. Meldium is a team password manager that gives reporters and editors access to their password-protected sites without requiring them to log in. Because the journalists don’t know the password, they can’t be hoodwinked into accidentally giving it away.

About one-fifth of Meldium’s customers are news or public relations organizations, said Boris Jabes, the company’s CEO.

But even in an era of high-tech password managers, many newsrooms are getting by with other management strategies. The Spokesman-Review in Spokane, Washington, uses a password-protected spreadsheet containing information for about 15 accounts, said Gina Boysun, the paper’s online director.

At The Seattle Times, the digital staff employs an analog strategy to keep track of its social media passwords, said Evan Bush, the paper’s social media editor. Rather than keeping a spreadsheet, staff members memorize passwords they need to use regularly and occasionally write them down. The digital team will likely employ a password manager for its social media accounts as its staff grows, Bush said.

Although analog password management and a password-protected spreadsheet are better than emailing passwords around the newsroom, they still come with security risks, said Eleanor Saitta, a security consultant with the Freedom of the Press Foundation.

Password managers have two main advantages over spreadsheets, Saitta said. First, they usually offer the ability to generate random passwords that are difficult to reproduce. They also let an administrator efficiently manage permissions for different accounts, saving them from the hassle of creating several spreadsheets for different teams.

We have made it easy to comment on posts, however we require civility and encourage full names to that end (first initial, last name is OK). Please read our guidelines here before commenting.