Password and Access Security

What to Do When an Employee Leaves and Knows Company Passwords

A practical guide for small businesses that need to remove access, change shared passwords, update recovery information, and protect accounts when an employee leaves.

When an employee leaves and knows company passwords, the business needs a clear process to protect accounts, systems, files, and shared access.

Why this matters

If an employee knows shared company passwords, access may continue even after their individual accounts are disabled. The business needs to identify which passwords were known and decide what should be changed.

This is not about assuming bad intent. It is about protecting the business and creating a clean offboarding process.

Start with a password access review

Make a list of systems the employee could access. Focus first on the most sensitive systems.

  • Email accounts
  • Microsoft 365 or Google Workspace
  • Banking and payment systems
  • Payroll and accounting tools
  • Website and domain accounts
  • Social media accounts
  • Vendor portals
  • Shared password managers

Practical reminder

Disabling the employee's account is important, but it may not be enough if they also knew shared passwords.

Change shared passwords

Any shared password the employee knew should be reviewed. Sensitive shared passwords should be changed quickly.

  • Banking and financial systems
  • Payroll systems
  • Email administrator access
  • Website administrator access
  • Domain registrar accounts
  • Shared password vaults
  • Business social media accounts

Review recovery email and phone numbers

Some systems use recovery email addresses or phone numbers. Make sure former employees are not listed as recovery contacts for business accounts.

Update recovery information to current business owners or approved administrators.

Document what was changed

Keep a record of the offboarding steps completed. This helps the business prove what was done and avoid repeating the same review later.

  1. Document accounts disabled.
  2. Document shared passwords changed.
  3. Document administrator access removed.
  4. Document recovery information updated.
  5. Document files or ownership transferred.
  6. Document who approved completion.

Prevent the same problem next time

After the immediate cleanup, improve the process. Reduce shared passwords, create individual accounts when possible, use a password manager, require Multi-Factor Authentication, and build a clear offboarding checklist.

J3 Systems Group LLC helps small businesses and nonprofits clean up shared passwords, remove access, document account ownership, and create practical offboarding processes.

Need help after an employee leaves?

Turn this guidance into action.

J3 Systems Group LLC can help review accounts, rotate shared passwords, remove access, and create a safer offboarding process.

Book a Free Consultation