How We Keep Client Passwords Safe

With Google AdWords, agencies can give their team members access to client accounts without a master password. It’s one of the only products where Google understands the relationship between an agency and its client. In Google Analytics, for instance, no such feature is offered. Is this because agencies don’t manage the Google Analytics accounts of their clients? Nothing could be further from the truth. 

As a client, you don’t want to give your GA master password to an agency. Do you want to have to keep track of the agency's team and access levels, even if you've never met those folks? We didn't think so, so we set out to find a better way. 

Most Companies Attack the Google Analytics Access Problem In One Of Three Ways

1. Have the client manage all agency employee access. The client grants each individual agency employee access; and revokes when the agency employee is no longer on the project. 
2. The client gives the agency admin access and lets the agency manage its own employees. Here the client makes the agency an administrator on the account, and lets the agency add or remove their own staff as needed.
3. The client gives access to a master agency account and the agency lets everyone have everyone in their company have access to it. Most commonly used in AdWords, a special agency account is created; and that agency account can be accessed by any staff member in the agency. 

But none of these solutions solve the real issue:

What happens to Client passwords when a team member leaves an agency?

If an agency staff member leaves, the options are:

1. Ask the client to remove the employee. If the agency employee left under difficult circumstances, this solution is potentially embarrassing. But even under the best circumstances, this is not a great use of your time as a client. 

2. The agency removes the employee from the client's master account. Ok, this is somewhat better. But a master agency account that has to be regularly managed doesn't scale. And as a client, you may not know if your account is being managed effectively. This is a sub optimal and error prone solution.

3. The Agency removes the employee from Agency's master account. Ok, this is better for the client in multiple ways. but what if no agency employees need admin access to your accounts? And how do you know the agency has done that?

4. Change the password on the account. In the case of single password products like Twitter, the password has to be changed, again, and again, and again, leading to confusion. 

Our managing partner Scott Meehan came up with an elegant solution for all four of these use cases.

TimeshareCMO's Solution To Client Account Access

Our solution not only scales to any agency size, but it also works for any single password scenario. For example, social media accounts (we're looking at you, Twitter and Pinterest!), shared tools like Mailchimp, and many other great MarTech tools do not offer multiple permissions.

Meet LastPass.  

Yes, a password manager. Hear us out.

First, forget about the esoteric arguments that security nerds make. Everyone can and should be using a password manager.

Second: the admins on any LastPass account absolutely should be using the strongest master passwords, and everyone should have two-factor authentication installed. But your agency should be doing that anyway, because they care about you, right?

How To Use LastPass For Client Google Analytics and Other Shared Permission Accounts


1. Open a LastPass Account. Here's a LastPass tutorial for beginners from Lifehacker.com

2. Have an admin level user create brand new secure passwords (say for the agency master account). Or have the client give you new passwords.

3. Require secure, strong passwords from your staff, as well as two-factor authentication.

4. Enter the UN and PW data into LastPass in a shared folder. 

5. Have different folders for different employees based on clients, access levels, and so on. Here's a sample of one folder we use for shared resources at the company, regardless of level. 

A shared folder in LastPass that we use to access common accounts.

6. Set each website's entry so that anyone with access to the shared folder who is NOT an admin cannot see the password to the site. It looks like this: 

At TimeShareCMO, most of team members never see client passwords!

Employees can also maintain their own private LastPass accounts for their own personal passwords, seamlessly, so there's no conflict between personal and work accounts. And LastPass offers endless customization for security for freelancers, partners, and everyone in between. 

We've been working with this solution for about months now and find it easy to maintain, scalable, and effective. 

So we're going to continue using this solution, and suggest it to startups, agencies, or any company who need to share passwords. Our next step is to create multiple GA accounts with permissions levels so we can assign specific permissions to various consultants, depending on the need.