I wrote the following as an email to web service client a while back, and I thought it might be helpful for other small businesses. (And for admins who are ready to suggest similar changes to their clients.)
Oh, and today is World Password Day.
It’s a good time to review some minor changes to accessing everything. First, I cannot overemphasize the great importance of protecting the Example.com domain name. Simple mistakes could result in ownership being lost completely and having to re-identify the business with a different domain name. Recovering the domain name could take weeks or months of downtime, if it’s possible at all. Second, access to DNS records can redirect everything under the domain name: it can allow what’s shown at the www.example.com URL to be replaced entirely and it can hijack all access to all email sent to and from *@example.com.
Fortunately, the solution is easy with these best practices:
For account access, never use an email address that multiple people have access to. Instead, create multiple accounts each assigned to a single person that can access the resource. i.e. stop using email@example.com for access to any account, but certainly not the domain registration account. When this practice is followed, there’s no longer a need to share passwords.
For managing domain names (registration and DNS), don’t use an email address with the same domain name that you’re managing. If the domain name service has a problem, those email addresses could stop working and you’ll essentially be trying to pick yourself up by your bootstraps. i.e. I don’t use firstname.lastname@example.org for managing my danielnorton.com domain name. Instead, I use a highly reliable email address with a different domain not managed by the same registrar (a Gmail account).
Set up two-factor authentication (2FA) wherever possible, ideally using an authenticator app, but SMS authentication is better than nothing. (I use a hardware key for my Amazon servers AWS account.)
To help you easily carry this out, when you can (the sooner the better), if you give me (at least) two email addresses not at @example.com, I’ll add them to the domain registration account and remove email@example.com. (These addresses don’t need to be publicly visible to anyone.) I can give both email addresses full access and let each person set up two-factor authentication for each new user account.
Once those addresses are set up, I’ll remove the firstname.lastname@example.org user (email to and from that address will still work fine), I’ll never need full access again, and I’ll be able to make any DNS changes from my own, more restricted user account.
I welcome your comments on the related Twitter post.