Wild Apricot Blog

View: Tags  |  Archives

Sign up to have the latest blog posts sent straight to your inbox!

    or RSS feed:  

How to Keep Track of Your Passwords (and Keep Them Safe)

How can you keep track of all the usernames and passwords for all the online sites you use? As social media and web-based or mobile applications become ever-more central to the daily operation of our non-profit organizations, it’s a growing issue from both a security and a time-management perspective.

Logins are basically made up of two pieces of information: your username and your password. Just two pieces of information, used in the correct combination, will give anyone access to the account.  Because it’s become “best practice” for organizations to use the same username everywhere online – easier for your constituents to find you by guesswork, better for “branding” and marketing, and useful for search engine optimization (SEO) – hackers can easily get the username part of your logins.  

That leaves your passwords as your main line of defense.

  • How strong are your passwords?  
  • And how often do you change your passwords?
  • How securely are your usernames and passwords stored?

If you’re anything like most people, the answer to all of the above is probably “not very.” 

Did you know that “12345” is the most common password? This remarkable fact comes from a Imperva.com study of Consumer Password Worst Practices (PDF), looking at 32 million passwords that were posted to the open internet after a security breach at RockYou.com late last year:

  • About 30% of users chose passwords whose length is equal or below six characters.
  • Almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).

Easy-to-guess passwords are only one part of the management equation.  We need to access our passwords quickly, easily, and often – so it’s tempting to save them in a plain text file on the computer desktop, to allow websites to set cookies to save the login information, to save passwords in our web browsers, or even to write them on sticky notes and post them on our monitors for every passer-by to see!

Add to that the considerable success of social engineering and phishing scams, and it’s no wonder we seem to read every day about another website getting hacked or someone’s social media account being hijacked to send out malicious spam links.

The problem is human.

The need for speed leads us into bad habits, and convenience too often wins out over time-consuming and laborious best practices for online security.  It’s just too easy to think, “This is safe enough,” and “It won’t happen to me!” 

Has your non-profit set guidelines for staff and volunteers, to help safeguard your organization’s private information and that of your members?

Password Policy

NASA’s password guidelines can be a great model for developing your organization’s own password policy.  Take a look, too, at the Sample Password Policy posted by the Texas State Library and Archives Commission.  Here are some general recommendations for good password management:

  • Don’t use the same password for more than one site or more than one person.
  • Don’t tell anyone else what your password is.
  • Don’t let software or websites save your password for you.
  • Wherever you enter your password, it should be shown as a row of asterisks, not the real characters – this is now the default for most sites and software, but it’s still not 100 percent, so just keep an eye out.
  • Change your passwords at least every 90 days (or more often, for high-risk or high-sensitivity accounts).  
  • When you do change your password, don’t recycle a password that you’ve used any time in the past: get a brand new one.
  • If you haven’t used a password-protected account in the last 3 or 4 months, delete the account. 
  • Whenever a staff person or office volunteer leaves your organization – whether voluntarily or otherwise – or change the password.
  • If there’s ever any reason to suspect that a password may have been compromised, change the password. 
  • When in doubt – change the password!

How to make a strong password:


Use at least 8 characters – the longer your password is, the more secure it will be.

Mix in 4 different types of characters – upper case letters, lower case letters, numbers, and “special characters” (e.g., @#$%^&) or punctuation marks.

Avoid:

  • simple keyboard patterns (e.g., QWERTY);
  • character strings (e.g., abcde or 12345);
  • words and numbers that have personal significance for you (e.g., your phone number, your pet’s name, etc.);
  • names, places, slang words, or any word found in the dictionary – and that includes words in other languages. If a word can be found in a database anywhere, a computer can try it on your login.

By the way, swapping out symbols for letters in words is no real help.  The bad guys are more than capable of figuring out that “p@55w0rd” is the same as “password.”  Adding a number or symbol to the end of your password, e.g. password1, is not helpful either, as it’s a common pattern.

Not sure how well your passwords stack up? Check the strength of your existing passwords at PasswordMeter.com, or experiment by typing in characters to learn more about how different combinations will rate for security.  You may notice that it’s hard to be truly random (we humans do like patterns, and our brains are wired to create them), so it can be helpful to use a random password generators when you’ve got a number of passwords to create.

Random password generators such as Random.org or  the PC Tools Password Generator  can produce an unlimited number of tough passwords – like Ro_$2tet!R or c6&t+h2s3S= or b3eqEku_SW or, well, you get the idea –  as many strong passwords as you could ever need, just at the click of a button.   It’s not advisable to use one of these auto-generated passwords for your extremely sensitive accounts, of course – such as the PayPal account that accepts your online donations –  as anything transmitted over the open internet can be “eavesdropped” on, in theory – but the passwords created by these tools will do nicely for most purposes.

Okay, strong passwords – check!

Secure Password Storage

But who can remember a truly “strong” password – let alone dozens of them?  

Sure, you could save all your passwords in an encrypted spreadsheet or document, or write them out on a paper record in a locked file cabinet, to look up each password every time you need it (and try to remember to update the document every time you change your passwords) – frankly, that’s so impractical as to be laughable, even if you never left your office desk. But we’re increasingly mobile these days, and, as security giant Symantec notes, more and more people are relying on their smartphones for work as well as personal use.

We need to access our password-protected information and accounts via a wide range of devices, and to be able to access them quickly. 

No wonder it’s so tempting to check the “remember me” or “keep me logged in” box on login pages, or save your password in a software application – not recommended! In fact, Symantec explicitly advises:

Users shouldn’t answer yes when prompted to save their passwords to a computer.  Instead, they should rely on a strong password committed to memory or stored in a dependable password management program.

And no, that doesn’t mean saving your passwords in your web browser.   Actually, that may be  too much of a blanket statement...  but you’ll have a hard time getting a definitive statement out of many security guys on the web browser password management question, and no hope at all of getting of a firm consensus! 

Realistically, however, not all web accounts are equally sensitive. 

Your organization’s risk of exposure is simply not the same on Twitter as it would be via the PayPal account you use to accept donations, obviously.  And for really low-stakes web accounts with read-only access (e.g., your online news subscription) or temporary accounts (e.g., a quick test of a web-based application you’re not sure you’ll want to continue using) , your web browser may be just fine for storing those low-risk logins. 

You’ll need to assess the risks and benefits, and be your own judge there – only you can know how much exposure your organization has in any situation.  In general, however, you can’t go far wrong if you err on the side of caution.

Secure Password Management Software

Password management software can strike a good  balance between security and convenience.  One master password protects all those hard-to-remember strong passwords, so you won’t be tempted to take the easy way out with predictable (read, hackable) passwords.

Purdue University’s IT department recommended (Password Manager Software (PDF), 2008) both Password Safe and KeePass as “capable, feature rich and secure” stand-outs in the field, even compared to some of the commercial options.  I’ve used both KeePass and Clipperz for some years now, and our savvy friends in the non-profit tech world have recommended LastPass, RoboForm, and, in smaller numbers, 1Password and Web Confidential to add to the list. 

When choosing, look not only at pricing (some of the best are free, open source software, fortunately for small nonprofits on a tight budget), but at the features that will be most important to how your organization operates. For example:

  • What devices are supported?
  • Does the program have a form filler or support one-click logins, so you won’t have to type in your usernames and passwords manually? 
  • Can you import and export your passwords?  (That’s a “must” in my books!)

Some programs will also let you securely store other types of important information, like a digital file card system, which may be helpful in your organization.

“Since the top password managers all share similar security characteristics,” says Secure Purdue, “the criteria for choosing one to recommend comes down to convenience and ease of use” – and that’s largely a matter of personal taste. 

Your best bet is to try out a few different programs for a week or so, and see which one will suit you best.  Check out the  Password Management Tools  “toolbox”  at Social Souce Commons for more options to consider.

The Task of Transitioning

Of course, picking a program to manage your passwords is just the beginning. You’ve still got to get all your login data into the new software.  Good intentions too often fail in the face of a shortage of time to do a task like this, but here’s a suggestion for how to get it done:

When you’re testing a password manager, enter two or three of your commonly used logins – Facebook, Twitter, maybe the  login data for your blog – and leave the rest until you’ve got an idea of whether that particular program is a good fit for you.

Once you’ve settled on a program to use, you can transition gradually – and take the opportunity to change your passwords, as recommended, at the same time.

Every time you go to login to a site or application that’s not in your new password manager, go to the account settings and change the password, then enter the new information into your password management software.

At the end of a few weeks or a month, whatever timeframe seems right for you, take a few minutes to compare your old list of logins and the items in your password manager, and make a decision about whether to add or delete any accounts that you’ve not accessed in that time.

Make sense?

That’s my take on the question of managing all those usernames and passwords for all those online sites, anyway!  Now it’s your turn, and I hope you’ll weigh in, in the comments:  How does your non-profit manage the “login overload”?

Get a Special Report on Simplifying Membership Management

Enter your e-mail and receive this special report in your inbox.

Stop duct taping your organization together.
Learn how Membership Management Software can do the heavy lifting for you.

Get a special consumer guide on how 14,182+ organizations stopped doing things manually in your inbox.

Escape from Excel Hell!

Stop duct taping your organization! Learn how membership management software helps you do a lot more with less.

Get a special consumer guide on how 14,182 associations, clubs and nonprofits stopped doing things manually in your inbox.

Thank you!

We will be emailing you your copy of "What is Membership Management" shortly.

As a bonus, we'll be in touch with regular updates on topics of interest to small associations, clubs and non-profits.

Email:
We hate spam, and promise 100% privacy.

Comments

  • DavidDavid

    David said:

    Excellent summary and resource.  Thank you.

    Friday, 20 May 2011 at 5:49 AM
  • MelissaMelissa

    Melissa said:

    But beware of password management softwares too -- LastPass got hacked just this week:  http://techcrunch.com/2011/05/05/password-manager-last-pass-possibly-hacked/

    Friday, 20 May 2011 at 6:27 AM
  • Linda FrancisLinda Francis

    Linda Francis said:

    Actually, the "bubbles" over passwords is a bit of usability issue that can actually cause frustration, and encourage people to keep their passwords really simple. The truth is, most people know when someone is looking over their shoulder as they enter a password, and in the case of work or home, there usually isn't.

    I've started recommending showing passwords by default and giving the option to hide. Luke Wroblewski and Jared Spool have an excellent conversation touching on this topic here http://tinyurl.com/pwbubbles and I really like the common sense approach.

    Thanks for the post!

    Linda

    Friday, 20 May 2011 at 7:38 AM
  • LizLiz

    Liz said:

    But if you have multiple employees that need access to social media accounts and need to know the logins, does that mean each person needs to download, for instance, LastPass and enter in the login info themselves at least once on their own computer?

    Friday, 20 May 2011 at 7:57 AM
  • Dmitriy Buterin [Chief Apricot]Dmitriy Buterin [Chief Apricot]

    Dmitriy Buterin [Chief Apricot] said:

    Hi Linda, I am so with on the issue of showing passwords!

    However, by now people have been trained to see passwords hidden and without really knowing what is this about, they are scared 'Oh, my password is not encrypted or something!'

    We ended up hiding passwords in WA because we frequently got comments from people who thought displaying passwords means lower security (it does not!)

    Friday, 20 May 2011 at 8:13 AM
  • Linda FrancisLinda Francis

    Linda Francis said:

    :)

    Did you offer the "hide password" check box right below? That is interesting. I wonder if you indicated the password was encrypted (with a lock or something) if that would make a difference.

    Friday, 20 May 2011 at 9:54 AM
  • Rick K.Rick K.

    Rick K. said:

    Don't forget about http://www.passwordsafe.com

    Rick

    Friday, 20 May 2011 at 12:41 PM
  • Rebecca said:

    Hi Liz, I've been thinking about the multiple-user issue - because, as you say, quite often you'll have several people who need to access your org's social media accounts to moderate or add content, etc.  

    I'd take the "need to know" approach to begin with, where only those who need access will get access.  And rather than necessarily giving all passwords to all staffers, look at what's specifically required to manage each communications channel.

    For example, for your Facebook Page, you can have multiple admins, each of whom login with their own accounts. For Twitter, you can use a tool such as CoTweet, for one, to manage multiple contributors to the account. For blogs, look at whether you can use "roles" or "permissions" - depending on what software you're using, and set up users with only those permissions they need, rather than full administrative powers. And so on.

    And if that's not a practical approach for your particular situation, here's another idea: I know one small non-profit ED who set up a Clipperz account with only those passwords needed by staffers to do their job; and all staffers access it through their web browser - so the logins are available to them whether they're in the office or working on the road.

    Tuesday, 24 May 2011 at 6:10 AM
  • Lindy Smith LLCLindy Smith LLC

    Lindy Smith LLC said:

    At age 57, it is getting more difficult to manage ALL information on the platforms that I access...and I don't see an end in sight.

    Most of my friends in the 55-70 age group have agreed that we used to memorize all the phone numbers we called when we were in our 20's, 30's and 40's.  Friends, family and business numbers were all in our head.  Now if you ask me for my daughter's number, I have to go to my contact list and scroll for it.  This leads me to a couple of observations:

    1) by giving our brains permission not to remember numbers/passwords we weaken our neurotransmitters.

    2) why can we still remember the phone numbers of our best friends from 1960?

    3) do old phone numbers make good passwords?

    Just "thinking"!

    Tuesday, 24 May 2011 at 12:21 PM
  • Rebecca said:

    Interesting observations, Lindy!

    While I can't produce a theory about why those old phone numbers stick in memory, it might be wise to avoid using them as passwords for highly sensitive logins - banking, for example -- as any number with personal meaning for you could, theoreticially, be found out or guessed by a determined snooper. But to use that unforgettable phone number of your grade four best friend for a social media login? Not at all unreasonable.  

    Bear in mind, however, that if you use a personally significant password for your non-profit's login (versus your personal login) and you subsequently leave the organization, that password would have to be passed along to the new administrator -- and you'd then be well advised not to use it elsewhere in future.

    Monday, 30 May 2011 at 5:35 AM
  • Lee @ Ilium SoftwareLee @ Ilium Software

    Lee @ Ilium Software said:

    Great advice! A secure password manager like eWallet GO! can help too. Remembers the passwords for you! http://ewalletgo.com  Simple.  Safe.  Easy to use!

    Thursday, 02 June 2011 at 10:17 AM
Sorry, this blog post is closed for further comments.
Membership Software - Wild Apricot For sales and support questions,
schedule a callback
Not a big talker?
email support@wildapricot.com
Wild Apricot Inc. 144 Front Street West Suite 725, Toronto, Ontario, Canada M5J 2L7