Skip to main content
tech.org.au home

Guide

How to share account access without losing control

The wrong way is texting someone your password. There is a right way for almost everything.

Updated 9 July 20268 min readBy AngusPart of Online safety tips

Sooner or later you need to share account access safely: a partner paying the bills, a bookkeeper doing the accounts, an employee running the socials, or an IT person fixing the website. Most people solve it by handing over their password, and that is where control quietly slips away.

Shared passwords cannot be un-shared. You cannot tell who did what, you cannot take access back without locking everyone out, and the person now effectively is you. Almost every service has a better way built in. This guide covers the right way to delegate, and just as importantly, how to take access back cleanly when things change.

The one rule: give access, never give your identity

Your main email account and the recovery details on your accounts are your digital identity. Whoever controls them controls everything, including the ability to lock you out. So the rule is simple: other people get their own login, their own role, or a shared entry in a password manager. They never get your email password, and recovery email addresses and phone numbers always stay yours.

Sharing with family, the right way

For couples and families the goal is shared convenience without a single point of failure.

  1. Use a password manager with family sharing. You each keep your own vault and share only the specific logins you both need, like streaming or utilities.
  2. Use the platform's built-in family features for purchases, photos and subscriptions on Apple and Google, instead of everyone using one account.
  3. For emergencies, set up each provider's official legacy or emergency access feature rather than writing master passwords on paper.

Good to know

  • Banks want each person to have their own login on a joint account. Sharing one internet banking login can breach the bank's terms and muddy fraud protection.

Sharing in a small business

Businesses lose control fastest, because access gets handed out in a hurry and nobody writes it down. Use roles, not shared logins, everywhere they exist.

  1. Accounting software: invite your bookkeeper or accountant as their own user with an adviser role. Never share the owner login.
  2. Email: use delegated access or a shared mailbox so staff can send and read without knowing a password.
  3. Social media: add staff as page users or editors with their own logins. The page owner role stays with you.
  4. Banking: ask your bank about card or user limits and authorisation levels for staff instead of sharing internet banking credentials.

Sharing with your IT person or web developer

This is the one that hurts businesses most when it goes wrong, because the assets involved are the business. Two things must always remain registered to you and in your name: your domain name and the email account everything resets to.

  1. Domain names: the registrant must be you or your business, never the IT provider. Most registrars and hosts have delegate or additional user features for the day-to-day work.
  2. Websites: give your developer their own admin user on the site, not your hosting account password.
  3. When you engage someone new, create access for them on day one the proper way. It takes ten minutes and sets the pattern.

Good to know

  • If a provider insists things must be registered under their account for convenience, treat it as a red flag. Convenience for them can become a hostage situation for you if the relationship sours.

Keep a simple access register

None of this works if you cannot remember who has what. Keep one simple list, on paper or in a note: the service, who has access, what kind, and when it was granted. Five lines is enough for a household. A page is enough for a small business. When someone asks for access, you add a line. This one habit is the difference between offboarding in ten minutes and hunting for a week.

Taking access back: the offboarding checklist

When an employee leaves, a provider changes, or a relationship ends, work through your register the same day.

  1. Remove or disable their user on each service in the register. Removing a user is clean, and nothing else changes.
  2. Where something was genuinely shared, change that one password and update it in the password manager.
  3. Check each important account's signed-in devices and connected apps, and sign out anything of theirs.
  4. Confirm recovery email addresses and phone numbers on your key accounts are still yours.

Good to know

  • If the departure is hostile, or you suspect access is being misused, do the email account first, then work down. Our guide on checking who has access to your accounts covers the full sweep.

Frequently asked questions

Is it safe to share passwords with family?

Share specific logins through a password manager's sharing feature, which you can revoke later, rather than telling people passwords. The passwords to keep strictly to yourself are your main email account and anything that receives security codes, because those control the recovery of everything else.

How do I give my accountant access to my accounts?

Invite them as their own user inside your accounting software, most packages have an adviser or accountant role built in. They sign in as themselves, you can see what they do, and you can remove them in one click when things change. Never hand over your own login.

Should my IT provider own my domain name?

No. The domain should be registered to you or your business, with your details as the registrant, always. A provider who controls your domain effectively controls your website and your email, and getting a domain back from an uncooperative or vanished provider is slow and sometimes impossible. Give them delegate access for the technical work instead.

What is delegated access?

Delegated access is a service's built-in way of letting another person act on your account with their own login, without knowing your password. Email delegation, adviser roles in accounting software, page roles on social media and registrar delegate users are all examples. It is revocable, auditable and always safer than sharing credentials.

What should I do when an employee with account access leaves?

On their last day, remove their user from each service on your access register, change any genuinely shared passwords, sign out their devices from important accounts, and confirm recovery details on key accounts are still yours. If you kept a register it is a ten minute job.

What if I have already shared my main password with someone?

Fix it now rather than waiting for a problem. Change that password from a device you trust, turn on two-factor authentication, sign out all other devices, then set the person up with proper access using the service's sharing or role features if they still need it.

More in the online safety tips hub

Get one useful tech tip a week

Plain-language guides and the occasional scam warning, sent when it matters. No spam, unsubscribe anytime.

Prefer to just ask? angus@tech.org.au or use the contact form.

Join the newsletter