Project closed. Team disbanded. Final report approved. The subcontractor has issued the invoice and vanished from the organizational structure. Everything according to plan? Not quite.
The project account in the client’s system still exists. The [email protected] inbox is still receiving messages. The password to the admin panel of the SaaS tool, which three team members knew by heart, has not been changed. And the history of the Slack thread where someone dropped the login credentials “real quick because the meeting starts in five minutes” is available to anyone with access to the channel.
This is not an exceptional scenario; it is the standard in organizations that manage projects without a systemic approach to access control.
The project environment is a unique case of security management. A fluctuating team composition, time pressure, collaboration with external subcontractors, and the natural impulse to simplify procedures create conditions where bad password practices are the norm, not the exception. The problem has two dimensions: credential security and the operational efficiency of access management. Both require a systemic solution.
Why are project environments so vulnerable to leaks?
When a new team member or an external subcontractor joins a project, the fastest path to productivity is handing over existing login details for the project tools. Nobody creates a new account, nobody configures separate permissions, because the project is already underway, the deadline is approaching, and configuration “will take too long.”
As a result, the same password is known by five, eight, or twelve people. When something goes wrong – a system error, an unauthorized change, a data leak – establishing who performed a specific operation is impossible. As an analysis by CyberFox indicates, when multiple people use the same credentials, accountability ceases to exist. If something goes wrong, it is impossible to determine who was responsible.
Time pressure vs. security
The project environment operates under constant deadline pressure. Security procedures that are acceptable in a stable environment become an obstacle in the middle of a “sprint.” The result is a phenomenon known as security fatigue – exhaustion resulting from security requirements, which leads to bypassing them. According to a 2024 study by AwareGO, 67% of employees feel overwhelmed by continuous security prompts and strict password policies. This frustration translates into specific behaviors: passwords written down on sticky notes, using the same login details across multiple systems, and sending passwords via communicators.
The paradox lies in the fact that procedures created to increase security, when too burdensome, generate the very behaviors that lower that security.
Team composition turnover, or the uncontrolled growth of people who know the same passwords
Every change in the composition of a project team is a potential risk. A new member joins – they learn the passwords. A subcontractor finishes their stage, but the passwords remain in their memory, phone, or notepad.
With the dynamic turnover typical of project environments, the number of people who have or once had access to the same credentials grows linearly – while control over those credentials remains static or declines.
Risks typical of project environments
A subcontractor finishes collaboration, but the passwords stay with them
An external agency carried out a deployment project for three months. They had access to the client’s testing environment, the admin panel of the content management tool, and the code repository. The project is finished, the invoice paid, and the contract has expired.
Nobody changed the passwords. Nobody checked whether access to external systems was revoked. The agency’s employees – both current and former – can technically still log into the former client’s systems. Data from Bravura Security shows that only 5% of IT leaders are certain that an employee leaving the organization did not take passwords with them. In the context of external subcontractors, this certainty might be even lower.
Changing the project manager without handing over access
A PM leaves in the middle of a project or right after its completion. The login data for several project systems disappear with them. The new PM has to obtain access all over again, losing time and operational continuity.
The communicator as an uncontrolled password repository
A thread on Slack, Teams, or another project communicator. Someone dropped a system password “real quick” – because the meeting was starting in a moment and a colleague needed immediate access. A message from eight months ago is still sitting in the channel history. Access to the channel is held not only by current project members but also by people who joined later and can see the full history of the thread.
Data from explodingtopics shows that 41% of IT professionals admit to sharing passwords via communicators. Every such message is an uncontrolled credential storage point – outside any access management system.
Central access management in a project environment
perc.pass, as a tool for central password management in an organization, introduces an architecture to the project environment that solves both dimensions of the problem simultaneously: credential security and the operational efficiency of access management.
Team groups with permission control
Every project can have a dedicated group with precisely defined permissions for its members – full access, read-only… New people joining the project gain access to credentials within minutes. People leaving the project lose it instantly.
Operation history at the project level
The central access registry logs who, when, and to what project resources had access. In the event of an incident – e.g., a configuration error, an unauthorized change, or a data leak – the operation history allows for precisely reconstructing the actual state of events and determining the scope of the incident.
Access revocation without disrupting the team’s work
When a subcontractor finishes collaboration or an employee changes projects, their access ends with a single click.
Onboarding a new member
A new developer joins the project in the middle of a sprint. Instead of sending him a list of passwords to a dozen systems via email or Teams, the owner assigns him to the project group in perc.pass. From that moment on, he has access to all necessary credentials.
If you want to check what central access management looks like in project practice – test perc.pass during a free trial period. Configuring your first project group takes just a few clicks.