Essays draft
This is a work in progress and is not officially published yet.

series: Login Bingo

by Matthew Lyon

It’s time to log in to the system to do the thing. For whatever reason, this is a system where you only have a single set of credentials for a single account, despite needing to have multiple people access this account.

Perhaps it’s for a household utility you need to co-manage with your partner or roommages: the power company, garbage collection, your internet service provider, or such.

Perhaps it’s something related to child care you need to co-manage with your partner, co-parent, or other care provider: the system your school district uses to interface with parents or collect lunch funds, or some other provider, where a child’s record may only belong to one login account.

Perhaps it’s something used in a work context, but either the system doesn’t support sharing resources between accounts, or that feature is prohibitively expensive and so your team is making do without for now.

Unfortunately, the credentials no longer work for some reason. Perhaps someone had to change the password the last time they logged in, and forgot to update the password manager or otherwise failed to let people know. Perhaps someone decided to become a bad actor; a co-parent firing an opening volley in what will become a nasty divorce, a team member who ragequit after being denied a cost-of-living wage adjustment. Either way, now you have to figure out how to restore access to the system, which may prove problematic since the account may not actually be in your name.

Whatever the excuse, a system that forces multiple people to share credentials to a single account in order to co-manage a resource that is otherwise shared is not only poorly designed but also encouraging bad security hygiene.

In my personal life, this pattern occurs mostly in household & parenting contexts:

  • utilities: the power company, the ISP, the phone company, the city’s utility system

  • devices: the robot vacuum, robot litter box, “smart” air conditioner, security cameras

  • entertainment: the TV streaming box’s on-device purchase system, and accounts with any entertainment providers

  • having a school-age child:

    • the school district’s system for relaying information specific to our child such as grades or assessment test scores, scheduling parent/teacher conferences, or making payment for our child’s school lunch balance

    • sports programs or activity gyms,

    • summer camps or weekend programs

    • health care providers

    • parental controls systems for things such as video games, tablets/computers, or other devices that offer control over content consumption or time-of-day usage

Each of these systems involves a “resource” my partner and I would like to co-manage, whether that’s as simple as billing information or as complex as our child’s schooling, but the system itself lacks the ability for multiple accounts on it to co-manage that resource. So we’re forced to share the credentials for the single account we’re allowed. While a good password manager makes this a great deal easier, it’s not foolproof — sometimes the records don’t get updated or don’t sync properly, and it causes a bit of interrupting confusion.

I’ve seen this pattern in a variety of professional contexts as well. I help my parents’ businesses with various technical & internet-related things, and some tools incur a severe cost increase to allow for the simple ability to enable a second, “separate” account to manage the necessary things. It’s simply not worth $50 a month to avoid this problem by enabling a second account. Are we violating terms of service? Probably? Has it been a problem? No. Have we saved over $5,000 doing this over the years? Yes.

Larger, better-funded companies do this too, and not just small technology startups — but large, well-funded companies: teams using some monitoring tool or such with a high cost-per-seat will sometimes have a single set of credentials shared in a password manager, simply to save a few hundred dollars a month. Sometimes those systems try to combat this type of usage with other antipatterns such as Only One Session.

If your system presents managed resources which people might want to co-manage, it should be designed to allow each person to do this with their own sets of credentials.

If your system charges extra for allowing multiple accounts, seriously consider whether you’ve set your prices fairly, and maybe consider making the first few additional accounts available at no extra cost. You the product owner might think it’s obviously worth $50 a month for someone to grow from a single person to three people: they’re busy doing their thing! they should have better things to worry about besides this paltry cost! But it’s surprisingly easy for a frugal small business owner to say it’s not worth $50/month to go from 1 to 3 people and start down the path of sharing credentials; this becomes a lot less tenable with going from 3 to 5 people, when the second and third person have their own credentials already.

Whatever the reason, if you’re logging in to an account with shared credentials, mark off your Login Bingo square.