Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

when is it a good idea to share a password with someone anyway?


My spouse and I share our streaming media accounts, for example. We also share passwords for the account on the utility company website, the phone company, and the internet company, some are under my name, some his, but they are really joint bills.

The other case I've run into is at work, when the company has an account with an outside vendor rather than individual users.


Some scenarios I have seen:

- You have a social media account that a group of people should be able to access. (Facebook does this "right," in that pages don't have their own login credentials, and you go through your personal Facebook account to access the page. But I kind of wouldn't want to use my personal Facebook account for work, anyway. Twitter, Instagram, Reddit, etc. treat each account as its own log-in-able entity.)

- You have an AWS account where you want to avoid a single point of failure for the root credentials. Yes, each person should use their own IAM creds for day-to-day use, but if person X is unavailable person Y should be able to get to things. (And for casual projects, "learn about IAM" is a significant burden over "learn how to upload pages to S3" for limited benefit.)

- You have a web hosting account from someone who's not AWS who gives you a single username and password. Or a DNS registrar account (most registrars I've seen don't let you split up access). Or whatever.

- You have a shared email account for replying to things as a team, or even for just archiving emails. Again, some systems do this "right" - if you're using Exchange, you can allow one user to access another user's inbox. But most people aren't on Exchange, they're on something like Gmail.

- You have an account for some service where you shouldn't be sharing passwords according to the service, but doing so is strictly in the service provider's benefit, not yours. Netflix is the canonical example.


Your root AWS account should have 2FA, and storing TOTP seeds in your cloud password manager makes it 1FA.


I have 2FA on my shared AWS account - my project partner and I both scanned the QR code at the same time. (You should be backing up your QR codes anyway in case you lose/break your primary phone; scanning it simultaneously with a secondary phone is a great approach for this.)

Even if this weren't possible, it would still be better to use 1FA than to arbitrarily pick one person to have root account access and lock the other person out simply because you "should" have 2FA.


The scenario I often have is a group of sysadmins and you all need access to a vendor's page.

At home, I take care of most of the bills. There are a few services where bills are under her name and account, but I need access.


Whenever you need a shared account for anything.

It's the superior choice to sharing an existing/personal account.

And people will do it, the best you can do is making the sharing secure.


When there is no better option. For example some B2B partners only provide one set of credentials for their management interface.


Family sharing accounts for Netflix, Spotify, the thermostat, the newspaper, ...




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: