Membership Knowledge Hub

How can you keep track of all the usernames and passwords for all the online sites you use? As social media and web-based or mobile applications become ever-more central to the daily operation of our non-profit organizations, it’s a growing issue from both a security and a time-management perspective.

Logins are basically made up of two pieces of information: your username and your password. Just two pieces of information, used in the correct combination, will give anyone access to the account.  Because it’s become “best practice” for organizations to use the same username everywhere online – easier for your constituents to find you by guesswork, better for “branding” and marketing, and useful for search engine optimization (SEO) – hackers can easily get the username part of your logins.  

That leaves your passwords as your main line of defense.

• How strong are your passwords?  
• And how often do you change your passwords?
• How securely are your usernames and passwords stored?

If you’re anything like most people, the answer to all of the above is probably “not very.” 

Did you know that “12345” is the most common password? This remarkable fact comes from a Imperva.com study of Consumer Password Worst Practices (PDF), looking at 32 million passwords that were posted to the open internet after a security breach at RockYou.com late last year:

• About 30% of users chose passwords whose length is equal or below six characters.
• Almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).

Easy-to-guess passwords are only one part of the management equation.  We need to access our passwords quickly, easily, and often – so it’s tempting to save them in a plain text file on the computer desktop, to allow websites to set cookies to save the login information, to save passwords in our web browsers, or even to write them on sticky notes and post them on our monitors for every passer-by to see!

Add to that the considerable success of social engineering and phishing scams, and it’s no wonder we seem to read every day about another website getting hacked or someone’s social media account being hijacked to send out malicious spam links.

The problem is human.

The need for speed leads us into bad habits, and convenience too often wins out over time-consuming and laborious best practices for online security.  It’s just too easy to think, “This is safe enough,” and “It won’t happen to me!” 

Has your non-profit set guidelines for staff and volunteers, to help safeguard your organization’s private information and that of your members?

Password Policy

NASA’s password guidelines can be a great model for developing your organization’s own password policy.  Take a look, too, at the Sample Password Policy posted by the Texas State Library and Archives Commission.  Here are some general recommendations for good password management:

• Don’t use the same password for more than one site or more than one person.
• Don’t tell anyone else what your password is.
• Don’t let software or websites save your password for you.
• Wherever you enter your password, it should be shown as a row of asterisks, not the real characters – this is now the default for most sites and software, but it’s still not 100 percent, so just keep an eye out.
• Change your passwords at least every 90 days (or more often, for high-risk or high-sensitivity accounts).  
• When you do change your password, don’t recycle a password that you’ve used any time in the past: get a brand new one.
• If you haven’t used a password-protected account in the last 3 or 4 months, delete the account. 
• Whenever a staff person or office volunteer leaves your organization – whether voluntarily or otherwise – or change the password.
• If there’s ever any reason to suspect that a password may have been compromised, change the password. 
• When in doubt – change the password!

How to make a strong password:

Mix in 4 different types of characters – upper case letters, lower case letters, numbers, and “special characters” (e.g., @#$%^&) or punctuation marks.

Avoid:

• simple keyboard patterns (e.g., QWERTY);
• character strings (e.g., abcde or 12345);
• words and numbers that have personal significance for you (e.g., your phone number, your pet’s name, etc.);
• names, places, slang words, or any word found in the dictionary – and that includes words in other languages. If a word can be found in a database anywhere, a computer can try it on your login.

By the way, swapping out symbols for letters in words is no real help.  The bad guys are more than capable of figuring out that “p@55w0rd” is the same as “password.”  Adding a number or symbol to the end of your password, e.g. password1, is not helpful either, as it’s a common pattern.

Not sure how well your passwords stack up? Check the strength of your existing passwords at PasswordMeter.com, or experiment by typing in characters to learn more about how different combinations will rate for security.  You may notice that it’s hard to be truly random (we humans do like patterns, and our brains are wired to create them), so it can be helpful to use a random password generators when you’ve got a number of passwords to create.

Random password generators such as Random.org or  the PC Tools Password Generator  can produce an unlimited number of tough passwords – like Ro_$2tet!R or c6&t+h2s3S= or b3eqEku_SW or, well, you get the idea –  as many strong passwords as you could ever need, just at the click of a button.   It’s not advisable to use one of these auto-generated passwords for your extremely sensitive accounts, of course – such as the PayPal account that accepts your online donations –  as anything transmitted over the open internet can be “eavesdropped” on, in theory – but the passwords created by these tools will do nicely for most purposes.

Okay, strong passwords – check!

Secure Password Storage

But who can remember a truly “strong” password – let alone dozens of them?  

Sure, you could save all your passwords in an encrypted spreadsheet or document, or write them out on a paper record in a locked file cabinet, to look up each password every time you need it (and try to remember to update the document every time you change your passwords) – frankly, that’s so impractical as to be laughable, even if you never left your office desk. But we’re increasingly mobile these days, and, as security giant Symantec notes, more and more people are relying on their smartphones for work as well as personal use.

We need to access our password-protected information and accounts via a wide range of devices, and to be able to access them quickly. 

No wonder it’s so tempting to check the “remember me” or “keep me logged in” box on login pages, or save your password in a software application – not recommended! In fact, Symantec explicitly advises:

Users shouldn’t answer yes when prompted to save their passwords to a computer.  Instead, they should rely on a strong password committed to memory or stored in a dependable password management program.

And no, that doesn’t mean saving your passwords in your web browser.   Actually, that may be  too much of a blanket statement...  but you’ll have a hard time getting a definitive statement out of many security guys on the web browser password management question, and no hope at all of getting of a firm consensus! 

Realistically, however, not all web accounts are equally sensitive. 

Your organization’s risk of exposure is simply not the same on Twitter as it would be via the PayPal account you use to accept donations, obviously.  And for really low-stakes web accounts with read-only access (e.g., your online news subscription) or temporary accounts (e.g., a quick test of a web-based application you’re not sure you’ll want to continue using) , your web browser may be just fine for storing those low-risk logins. 

You’ll need to assess the risks and benefits, and be your own judge there – only you can know how much exposure your organization has in any situation.  In general, however, you can’t go far wrong if you err on the side of caution.

Secure Password Management Software

Password management software can strike a good  balance between security and convenience.  One master password protects all those hard-to-remember strong passwords, so you won’t be tempted to take the easy way out with predictable (read, hackable) passwords.

Purdue University’s IT department recommended (Password Manager Software (PDF), 2008) both Password Safe and KeePass as “capable, feature rich and secure” stand-outs in the field, even compared to some of the commercial options.  I’ve used both KeePass and Clipperz for some years now, and our savvy friends in the non-profit tech world have recommended LastPass, RoboForm, and, in smaller numbers, 1Password and Web Confidential to add to the list. 

When choosing, look not only at pricing (some of the best are free, open source software, fortunately for small nonprofits on a tight budget), but at the features that will be most important to how your organization operates. For example:

• What devices are supported?
• Does the program have a form filler or support one-click logins, so you won’t have to type in your usernames and passwords manually? 
• Can you import and export your passwords?  (That’s a “must” in my books!)

Some programs will also let you securely store other types of important information, like a digital file card system, which may be helpful in your organization.

“Since the top password managers all share similar security characteristics,” says Secure Purdue, “the criteria for choosing one to recommend comes down to convenience and ease of use” – and that’s largely a matter of personal taste. 

Your best bet is to try out a few different programs for a week or so, and see which one will suit you best.  Check out the  Password Management Tools  “toolbox”  at Social Souce Commons for more options to consider.

The Task of Transitioning

Of course, picking a program to manage your passwords is just the beginning. You’ve still got to get all your login data into the new software.  Good intentions too often fail in the face of a shortage of time to do a task like this, but here’s a suggestion for how to get it done:

When you’re testing a password manager, enter two or three of your commonly used logins – Facebook, Twitter, maybe the  login data for your blog – and leave the rest until you’ve got an idea of whether that particular program is a good fit for you.

Once you’ve settled on a program to use, you can transition gradually – and take the opportunity to change your passwords, as recommended, at the same time.

Every time you go to login to a site or application that’s not in your new password manager, go to the account settings and change the password, then enter the new information into your password management software.

At the end of a few weeks or a month, whatever timeframe seems right for you, take a few minutes to compare your old list of logins and the items in your password manager, and make a decision about whether to add or delete any accounts that you’ve not accessed in that time.

Make sense?

That’s my take on the question of managing all those usernames and passwords for all those online sites, anyway!  Now it’s your turn, and I hope you’ll weigh in, in the comments:  How does your non-profit manage the “login overload”?