May 2026 | Qualit Managed IT | Architectural Firms | Cybersecurity
Your design team lives in Revit, AutoCAD, and Autodesk Docs all day — and each of those platforms requires a login. Now multiply that across BIM 360 project portals, Deltek Ajera for project management, Adobe Creative Suite, Lumion for rendering, and half a dozen consultant collaboration portals, and a single principal or project architect may be juggling a dozen or more credentials. When those passwords get reused across platforms — and research shows most of them do — one compromised account can become a master key to everything your firm has built.
The Scale of the Password Reuse Problem
A 2024 Cybernews study analyzed more than 19 billion passwords exposed in data breaches and found that a staggering 94% of them were reused or duplicated across multiple accounts. That is not a statistic about careless users — it is a structural problem with how human beings manage dozens of credentials under deadline pressure. Your designers and architects are not security professionals; they are creative professionals trying to hit project milestones. Password hygiene tends to fall apart when a Revit model deadline is looming.
The attack technique that exploits this is called credential stuffing. Attackers purchase or download lists of breached username-and-password pairs from the dark web and then run automated scripts that try those same credentials against thousands of other platforms simultaneously. If a project architect used the same password for an old forum account that got breached three years ago as they use for your firm's BIM 360 portal, attackers may already have that combination — and they are testing it right now.
What Is at Stake for an Architectural Firm
For most industries, a breached account means exposed emails or customer records. For an architectural firm, the stakes are higher and more specific. Your design files, BIM models, and project documentation represent your primary intellectual property. Schematics, construction drawings, proprietary design details, client correspondence — all of it lives in shared drives and project collaboration platforms. A single compromised credential can give an attacker read access to years of project work.
Beyond IP theft, ransomware groups increasingly use credential stuffing as their entry point. They log in with a legitimate set of stolen credentials, move laterally through your network, and then encrypt everything — including the Revit models and project documents your team needs to deliver. When that happens on a Thursday before a deadline, the damage is not just financial. It is reputational.
Three Changes That Dramatically Reduce Your Risk
1. Deploy a Password Manager Firm-Wide
Tools like 1Password, Bitwarden, and Dashlane eliminate the password reuse problem by generating and storing a unique, complex password for every account. Instead of remembering dozens of passwords, your project teams remember one master password. The password manager handles the rest. Most enterprise plans include admin dashboards so you can see which accounts are using weak or reused passwords — and fix them before an attacker does.
For architectural firms specifically, this is valuable because your team accesses a wide mix of platforms: Autodesk portals, Newforma project sites, rendering software licenses, cloud storage, and more. A password manager creates a consistent security baseline across all of them without adding friction to the design workflow.
2. Turn On Multi-Factor Authentication Everywhere
Multi-factor authentication (MFA) means that even if an attacker has the correct username and password, they cannot log in without a second verification step — typically a code from an app like Google Authenticator or Microsoft Authenticator. This single control stops credential stuffing attacks cold. Even if your credentials are in a breach database, MFA makes them useless without physical access to a trusted device.
MFA is available on Autodesk Docs, BIM 360, Adobe Creative Cloud, and most project management platforms. Enabling it across your firm's critical platforms should be a non-negotiable baseline — not an optional setting.
3. Audit Shared Accounts and Project Portal Access
Architectural firms frequently set up shared logins for client-facing project portals or consultant access. When a project wraps up, those credentials often stay active. Conduct a periodic audit of who has access to what — especially in BIM 360 and Autodesk Docs — and remove stale accounts promptly. Every dormant shared login is an open door.
One Breach Can Be a Master Key for Everything
The phrase 'one breach, one master key' captures the real danger of password reuse. When credentials are shared across platforms, a single point of failure becomes a universal failure. A breach at any one of the many platforms your team uses — even a third-party consultant's system — can cascade into your firm's core design environment. The fix is architectural: break the dependency between accounts by making every password unique.
We work with Salt Lake City architectural firms to protect design files and keep project workflows running. If your firm has not audited its password practices recently, now is the right time.
Schedule a free discovery call with Qualit to review your firm's credential security.
Frequently Asked Questions
Q: Our team all uses the same Autodesk login to access BIM 360. Is that a problem?
Yes. Shared accounts make it impossible to audit who accessed what and when. If that credential is compromised, you have no way to trace activity or quickly revoke access for one person without locking everyone out. Individual named accounts with MFA are the right approach for BIM 360 and all project collaboration platforms.
Q: We use a password manager, but only a few people on the team actually use it. What do we do?
Adoption is the hard part. The most effective approach is top-down enforcement — make the password manager the only approved way to access firm accounts, and tie it to onboarding and offboarding processes. An IT partner can help configure policies that require password manager use at the system level, reducing the friction of voluntary adoption.
Q: How do we handle password sharing with outside consultants on shared project portals?
Use platform-level guest access features rather than shared credentials whenever possible. Autodesk Docs and BIM 360 both support external collaborator accounts tied to individual emails. When a project closes, deactivate those accounts. If shared credentials are unavoidable, rotate them when a project ends and use a password manager to distribute the new credential securely rather than emailing it in plain text.
