Nonprofit Password Management

What does password management look like at your nonprofit organization? While you may have password setting policies in your systems (see our Salesforce password security tips here for ideas), do you know how your users are storing their login information? Are passwords saved in browsers, on physical notepads, and/or in shared documents? Is there even a consistent practice, or is it a free for all where everyone chooses their own adventure? As consultants that work with dozens of nonprofits on technology projects, we have seen it all.

Technology is a core requirement for all nonprofits. System passwords grant access to some of the most important and sensitive day-to-day operations of your organization.

Every week, it seems there is a news article about data breaches and systems being hacked. When your organization’s passwords are scattered around and in plain text on devices, there’s always a risk that someone’s computer or phone is hacked and the passwords stored on it will be used for nefarious purposes.

Even when you have an integrated system that streamlines your data collection, there are still multiple logins to manage. Gone are the years where you only had to remember 2-3 passwords to do all your tasks in a day. We are in the days of character requirements and quarterly change password prompts (but you can’t use one you’ve had before!). Think about it. How many logins do you use in a day? With so many to remember, people start creating overly simple/insecure passwords to try and make it easy.

Not having a centralized, protected place for passwords makes it hard to secure systems if employees leave or equipment gets lost. This is why we recommend a nonprofit password management system.

What is a Password Management System?

It needs to be secure and allow for each user to have access to the passwords they need… and ONLY the ones they need. We recommend a “vault” system. The most common ones are 1Password and LastPass but there are others. These vaults (and any systems!) can still be hacked, but just like a bank vault they put a heavy door on the front, so it’s less likely anyone can get through. By encrypting your login information, it’s more protected than a plain text document on your shared drive.

A vault can remember all your passwords, and most have apps that let you use them across multiple devices (like on your desktop and phone). Most importantly, you can grant or revoke access to employees and/or consultants like us.

What are the benefits of a vault?

1. Minimize the risk of shared logins. Your organization probably has some systems where a single user account needs to be accessed by multiple people. Do you share that login information with new employees by typing it into a chat, or sending it by email? Every time we copy/paste a password into an email, text, or chat, we create a potential security risk. (Think about what happens if your phone or laptop were lost or stolen, and someone could view all that history!). When you share passwords through a vault, you just grant access. No need to send information (and no need for anyone to write it down or store it elsewhere!).
2. A central location. A vault keeps all your passwords in one central location where everyone can find them. It can be added to a phone or browser and everyone only has to memorize ONE primary password to access the vault (again, no need to write it down or “just remember”). You can group passwords by account or role, and give access to only what each user needs. Some allow you to share a link that will expire after a set amount of time.
3. Simpler 2-Factor Authentication and Authorization. “2FA” or “MFA” are tools used by many apps and systems as an enhanced level of security, to make sure the person trying to access the system is actually authorized. Usually you’re given a code or key that’s delivered to a specific phone or email, or is accessed in a specific place. Some password management tools can serve as the “specific place” for receiving these access codes (which especially helps in the case of users sharing a single account). See our previous article about the importance of MFA for Salesforce.

Having a nonprofit password management system is going to be even more crucial as the rules change, password requirements get more complicated, and continue to evolve. We are human and can’t remember everything. That’s why it’s important to enable an easy way for users to remember passwords. Knowing where passwords are and controlling access lowers the risk of having a password compromised.