Nonprofits and Password Protection
Following the fallout from the HeartBleed bug over the last couple of weeks, it is apparent that many folks, both within and outside the nonprofit community, need to update passwords on compromised sites.
But in addition to updating passwords, it is imperative that stronger systems for password creation and storage be used, regardless of your circumstances. In our work thus far, the number of times we’ve seen individuals, companies, and nonprofits alike use easy to crack passwords, or even the same password across multiple accounts, has been disconcerting.
With that in mind, we wanted to provide some simple steps to improving your password protection policies.
Don’t use the same password for all accounts
While using multiple passwords should be common sense, the fact remains that having more than one password can be difficult to remember in some circumstances. Add in the fact that most systems require capitalization, punctuation, numbers, and character minimums, and it can be extremely difficult to remember these passwords by memory alone.
Add in the fact that for nonprofits, many of these passwords need to be shared with multiple employees, staff members, and in some cases volunteers, and you have a system in place that makes it difficult to have meaningful variety in your security measures.
Regardless – the downsides of having one password still outweigh the positives. If your password is compromised, so is every account associated with those credentials. This could mean your social media accounts, email, and database could all be corrupted if just one account is compromised.
Create a system
Safeguarding your passwords doesn’t need to be complicated or expensive – it just needs to be more than what you are likely doing.
Sharing a Google doc or a shared file (using an internal network, Box, or Dropbox would work) is one way – that way you can capture usernames, websites, and passwords. Word of warning, though. If this document is lost or stolen, then all of your account information is gone with it.
A safer route is to use a service dedicated to protecting passwords. These services (including 1Password, LastPass, and PasswordBox) do all of the heavy lifting for you by storing your websites, passwords, and other login credentials. These services also provide password generators, meaning that for each site has its own truly randomized password. Both 1Password and LastPass are currently having a sale following the HeartBleed bug so that you can try out their services for less.
What happens if your account is breached
Even with these safety measures in place, accidents or deliberate breaches can happen. What is important is that you reset passwords immediately, inform anyone who may have received a message or notification of the problem, and to determine what safeguards may have failed. By being proactive, you will prevent these issues from happening in the future.
It is also important that if someone with access to important passwords or information leaves the organization, especially if under poor terms, you should immediately change these credentials so as to avoid any potential inappropriate access.
As the world continues to move more and more into the online space, it is important to be mindful of how this technology can both help and hurt you. Being diligent on password protections and policies is one step in having these new platforms work for you, instead of against you.
Don’t forget to check out Tumblr for more tips and tricks throughout the week. Onto other news:
- We’ve talked about executives on Twitter before – now, StayClassy captured some of the most inspiring posts of late from nonprofit leaders.
- Looking for a leadership opportunity? Stanford is currently accepting applications to their Executive Program for Nonprofit Leaders.
- There seem to be endless advice columns on the best way to manage your email inbox. But we think this one has some new insights.