Should you store passwords in a CRM?

The short answer is no! You should not store passwords in a CRM. A CRM system is not designed to store customer password data, as the security within a CRM system is not designed to protect passwords securely.

4 detailed reasons why you should NOT be storing passwords in a CRM:

1) Passwords need to be difficult to extract: If you stored passwords in a CRM system, it would nearly equivalent to storing all passwords in a notebook or spreadsheet. This mean a novice computer user (not even a hacker) could gain access to all of the logic credentials for a large number of systems very easily. Passwords in a CRM system would not be securely encrypted, making it very easy for someone to access all of that sensitive data.

2) Shared Access: CRMs are usually accessed by multiple users within an organization or business. This means that there’s an significant risk of passwords being seen and used by unauthorized staff and contractors.

3) Audit and Accountability Challenges: in a CRM system, there usually lacks the detailed tracking mechanisms required to monitor password access, usage, and purpose. This deficiency complicates the creation of clear, reliable audit trails, undermining accountability within the organization. Without robust logging features, determining who accessed sensitive information and when becomes an impractically complex task, meaning you’re wide open to huge liability because the accessing the passwords is near untraceable.

4) Potential for Accidental Exposure: Routine operations within CRM systems, such as data exports, generating reports, or sharing screens during meetings, carry the risk of accidentally exposing passwords. This inadvertent disclosure can occur far too easily within everyday work tasks. This means sensitive information is vulnerable to an almost trivial degree.

How should passwords be stored?

This is a complicated answer, but as a guide, passwords should be stored using strong encryption methods and need to be limit to one password per person. And the method required would depend on the situation and the environment. You do not want to be storing passwords for your customers wherever possible.

Typically you have a single password per person who is able to access a system. This has the advantage of making it easy to identify who accesses a system, and it means they are liable for protecting that password.

If you are storing passwords for customers or clients, then you need to seek advice from a IT security specialist to ensure you’re legally compliant. It is incredible easy to get this wrong, so you’ll need some experienced advice here.