Password security property management | AppFolio cybersecurity | Credential stuffing | Tenant data protection | Salt Lake City
Your property managers are logging into AppFolio from the office, from the field, and from their personal phones. Your leasing agents are accessing Buildium or Yardi Voyager from apartment communities across the valley. Your accounting team is in QuickBooks. Everyone on your team uses half a dozen platforms every day — and if they're using the same password across multiple systems, a single compromised account can expose every tenant record, every lease document, and every financial transaction your company manages. A 2024 Cybernews study analyzed nearly 19 billion exposed passwords and found that 94% of them were reused or duplicated. Property management companies, with teams spread across multiple locations and dozens of tenant files in cloud-based systems, are exactly the kind of target credential-stuffing attackers are looking for.
Credential Stuffing and Why Property Managers Are High-Value Targets
Credential stuffing is an automated attack where criminals take username-and-password combinations leaked from one data breach and systematically test them against other platforms. They don't need to hack your software directly — they just need to find a password your leasing agent reused from some other site. AppFolio, Buildium, Yardi Voyager, and RealPage are all known platforms. Attackers maintain lists of property management software and run credential tests against them constantly.
Once inside your AppFolio account, an attacker has access to everything: tenant Social Security numbers from rental applications, banking details used for ACH rent payments, lease agreements, maintenance records, and owner financial reports. For a property management company that handles hundreds or thousands of tenant records, a single credential compromise can be a catastrophic breach — not just of your business, but of your legal obligation to protect the personal information your tenants gave you.
And the access goes beyond your software. Your team's email is the command center of your entire operation — lease execution, maintenance coordination, owner communications, and wire transfer instructions all flow through email. If a property manager's email password is the same as their AppFolio password, compromising one means compromising both.
The Mobile Access Problem
Property management is a mobile business. Your leasing agents are touring units, your property managers are at inspections, your maintenance coordinators are in the field. They're accessing your systems from personal phones, personal laptops, and shared office computers at apartment communities. Every one of these access points is a potential entry for a credential-based attack — and mobile devices add complexity that office-only environments don't have.
When a leasing agent accesses AppFolio from their personal phone using the same password they use for their personal email, a breach of their personal email account immediately puts your tenant data at risk. They're not trying to create a security problem — they're just trying to do their job conveniently. But convenience and security work in opposite directions when passwords are shared across personal and professional systems.
What Good Password Security Looks Like for Property Management
Password Managers for the Whole Team
Tools like 1Password, Bitwarden, and Dashlane generate unique, complex passwords for every platform and store them securely so your team doesn't have to remember them. Your property manager gets a different password for AppFolio than for Buildium, a different one for their email than for QuickBooks. A breach in one place doesn't cascade.
Password managers work on mobile devices, which makes them practical for teams that are always on the go. Most major platforms have browser extensions and mobile apps that autofill credentials seamlessly. Once the habit is established, it actually makes logging in faster — not slower — because the manager doesn't have to type anything.
MFA on Every System That Holds Tenant Data
Multi-factor authentication requires a second verification step beyond the password — typically a code from Google Authenticator or Microsoft Authenticator, or a push notification to a trusted device. Even if a property manager's password is stolen, MFA stops the attacker from completing the login.
AppFolio, Buildium, Yardi Voyager, RealPage, and most email platforms support MFA. Enable it everywhere it's available. For systems that handle ACH transactions or wire transfers — QuickBooks, your bank's online platform, Rent Manager — MFA should be considered non-negotiable. These are the accounts where a successful login by an unauthorized party can directly cost you or your clients real money.
Regular Access Audits
Who in your organization currently has access to your AppFolio database? What about former property managers who left six months ago? Leasing agents who transferred to a different property? The property at which a former employee worked? Access audits — reviewing who has credentials to which systems and removing access that's no longer needed — are a basic security practice that many property management companies skip because there's always something more urgent to handle.
Schedule an access audit quarterly. Make it a standing item. It takes less time than you think, and it eliminates entire categories of credential risk.
Wire Fraud: The Password Risk That Can Cost You Hundreds of Thousands
For property management companies, the highest-stakes consequence of compromised credentials isn't just data exposure — it's wire fraud. Your team routinely processes large financial transactions: owner disbursements, security deposit transfers, vendor payments, and earnest money handling if your company is also involved in real estate transactions.
Attackers who gain access to your email through credential stuffing don't just read messages — they monitor them. They learn your patterns, your relationships, and your transaction timing. When a large payment is about to be made, they send a spoofed email with new wire instructions, timed perfectly to look like a routine update. The funds go to the attacker's account. By the time anyone realizes what happened, the money is gone and nearly impossible to recover.
Strong, unique passwords on all email accounts — combined with MFA — are the first line of defense against this attack. One reused password on one email account can result in a fraud event that costs your company or your clients six figures.
Protecting the Tenant Records Your Business Depends On
Your tenants gave you their most sensitive information — Social Security numbers, bank account details, employment records — because they needed a place to live and they trusted your company to handle that information responsibly. Strong password security isn't just a technology policy. It's part of the obligation you take on when you accept a rental application.
Ready to get your team's password hygiene sorted before it becomes a much bigger problem?
We work with Salt Lake City property management companies to protect tenant data and secure real estate transactions. Schedule a free discovery call to talk through where your current credential security stands and what needs to change.
Frequently Asked Questions
We have leasing agents accessing AppFolio on personal devices. How do we manage that?
Personal device access to business systems is a real risk — the solution isn't to prohibit it, which often just makes people work around the policy, but to require specific security configurations on any device that accesses your systems. At minimum: a password manager for credentials, MFA enabled, and a device PIN or biometric lock. Some property management companies implement mobile device management (MDM) software that applies security policies to any device enrolled in their platform. Your IT provider can help you find an approach that works for your team's mobile reality.
What's the risk of our wire transfer accounts being compromised through a credential attack?
Very high, and the consequences are severe. Business email compromise (BEC) and wire fraud are the top financial cyber threats facing property management companies. If an attacker gains access to your email through a compromised password, they can monitor transactions, spoof wire instructions, and intercept payments. Strong, unique passwords plus MFA on all email accounts — combined with a policy requiring verbal confirmation for any wire transfer instruction received by email — dramatically reduces this risk.
How do we get the whole team to actually use a password manager?
Make it easy and make it a requirement, in that order. Roll out the password manager as a company-provided tool — cover the cost of the subscription, pre-configure it, and spend 30 minutes walking the team through the basics in a team meeting. Frame it as a benefit: no more forgotten passwords, no more getting locked out of AppFolio at a bad moment. Then establish a policy that all business system credentials must be stored in the company password manager — not in browsers, not in notes apps, not written on sticky notes. Adoption improves significantly when the easier path and the required path are the same path.
