Purpose #
This article explains how Shopstars and its clients handle passwords and credentials for Shopify, advertising platforms, analytics tools, and third-party integrations. It covers why credential security is critical, how credentials should be shared, how they are stored, and how they are rotated. Clients should use this as the reference for maintaining safe, reliable access control across all systems.
Why Credential Management Matters #
Weak or poorly managed credentials are one of the most common causes of account breaches. Sharing passwords through insecure channels like email or chat not only puts client data at risk but also creates accountability issues when multiple people use the same login. Proper credential management ensures that access is secure, traceable, and revocable at any time.
General Principles #
- Use official invitation systems whenever possible. Platforms like Shopify, Meta, Google Ads, and GA4 allow adding team members without sharing credentials.
- Apply least privilege. Users should only have access to what they need. Developers may require admin access, but contractors or auditors may only need read-only permissions.
- Enable two-factor authentication (2FA). This adds a critical layer of security against brute-force or phishing attacks.
- Avoid password reuse. Each platform must have its own strong, unique password.
Secure Sharing Practices #
When credentials must be shared (for example, FTP or server access):
- Use password managers. Shopstars recommends tools like 1Password or LastPass for sharing credentials securely.
- Avoid plain text. Passwords should never be sent by email, Slack, or Basecamp messages.
- Set expiration dates. Temporary access credentials should expire automatically after the project or task is complete.
- Document securely. If credentials must be recorded for traceability, they are stored in encrypted password management systems, not in project threads.
Storage Standards #
Shopstars maintains strict storage practices:
- All credentials are stored in an encrypted password manager accessible only to authorized team members.
- Credentials are never written in spreadsheets, documents, or emails.
- Any legacy systems that cannot support modern access control are isolated and monitored.
Credential Rotation #
Regular credential rotation is mandatory for sensitive systems.
- Shopify admin and staff passwords should be rotated at least every 90 days.
- API keys and tokens should be regenerated when staff changes or when third-party access is no longer required.
- Ad platform logins should be rotated immediately if suspicious activity is detected.
When Shopstars team members offboard from a project, their access is revoked immediately, and related credentials are updated.
API Keys and Tokens #
Many integrations require API keys rather than usernames and passwords. API keys should:
- Be generated with the minimum scope required
- Be stored securely in password managers or environment variables (for custom apps)
- Be rotated regularly or when integrations are retired
Clients should provide API keys through secure password sharing tools, never via email or unencrypted text.
Client Responsibilities #
Clients must:
- Provide credentials only through approved secure channels
- Enable 2FA on all accounts shared with Shopstars
- Rotate credentials when team members leave or roles change
- Notify Shopstars immediately if a credential is suspected to be compromised
Summary #
Password and credential management at Shopstars follows strict security practices. Access is granted via official invitation systems whenever possible, credentials are stored in encrypted password managers, and rotation policies ensure long-term safety. Clients are expected to use secure sharing methods, enable 2FA, and manage credential lifecycle responsibly. This structured approach protects both client data and business continuity.
