Nonprofits are generally a mess when it comes to password management. In my work as a web designer, it’s a regular occurrence to work with a nonprofit that can’t find critical passwords when we need them.
The website hosting account just expired, but nobody’s logged in there since Joanne, who was two-communication-managers ago. The organization’s sole Facebook admin is a former employee who left on bad terms. The web developer is a nightmare but he owns the domain registration, so you need their cooperation if you want to work with a new company for the next website. The website requires two-factor authentication and the email on file is no longer active. The list goes on.
What’s to blame? Usually 1) high staff turnover and 2) lack of reliable systems to store shared knowledge. This article will help you set up that reliable system, regardless of staff turnover.
Not only is it a headache when important passwords are lost, but typical nonprofit password management is super insecure. Usually all the passwords live on some shared Google Doc and/or are passed around by email. This means if an employee account gets hacked that has access to that document, all of your accounts are at risk.
Additionally, those passwords can easily be retained by former staff members, which probably isn’t a big deal…until a crappy employee gets fired and suddenly it’s a freakin’ nightmare.
Smart password management allows you to keep your organization safe and fully in control of your online accounts. Here’s what I recommend.
Step 1: Track down your passwords now
Here are the six key accounts you should make sure you have access to in order to maintain your online presence.
- Domain registration
- Website host
- Current website login (e.g. WordPress dashboard)
- Google Analytics
- Google Business listing
- Social media accounts
Before getting any further, make sure you have access to all of these. If not, take a moment to track them down.
In addition to this list, you’ll also want to ensure you have banking, payment processors, and any other accounts that hold sensitive (i.e. personal and/or financial) data.
Step 2: Set up a password manager
To get started, set up a LastPass account. If you’re a small organization, you might be able to get by with the free account, otherwise try the Teams plan ($4/user/month).
You’ll create a “master password” for this account, which will allow you to access all your other passwords. Make this password long and reasonably difficult. A sentence with some numbers and symbols mixed in makes it easier to remember. E.g. 1gotMYpeachesDOWNinG@ (not my password, I promise).
Install the browser extension, which will store passwords for you and autofill saved passwords.
Note: This master password should be set up by the executive director or whoever has the most power in the organization. This master password is your organization’s “nuclear codes.” Don’t mess around with this.
If you’re a tech-saavy, entry-level employee that’s setting this up because you’re the office’s unofficial tech person, great! Just let your ED set this master password. And make sure they understand the importance of passing this account on to their successor.
Step 3: Update your passwords
Now that you have a password manager, you never need to type a password again.
Cool. Now there’s no excuse to keep using the short/simple password you’ve been using for all your accounts. Log into your important accounts and let LastPass autogenerate passwords for you, as these don’t need to be memorable or pronounceable. Like this: k9vBWG!82!2o (also not my password).
Step 4: Use a generic organization email address for accounts
These email accounts are much easier to preserve as individual staff come and go and their email accounts open and close. And if you use this consistently across all your accounts, it’s much easier to track down lost passwords using the password reset options (i.e. you know what email to send the reset to).
Step 5: Share your passwords as needed
Anyone in the organization that needs a password should set up their own LastPass account and install the LastPass browser extension.
When you want to share a password, click on your LastPass browser extension to enter your vault:
Hover over the password you want to share, then click the share icon:
Enter the recipient’s email address. In most cases, you should leave the “Allow Recipient to View Password” box unchecked. This means LastPass will autofill the password for them (using the browser extension they have installed) but they’ll be unable to see the actual password.
Step 6: Un-share passwords when they are no longer needed
When the staff member leaves or no longer needs access to an account, simply retrace your steps in LastPass to access the sharing permissions on the password. Then click to cancel the invite.
Step 7: Document your process/policies
As great as this system is, it won’t do you any good if nobody uses it. So while you’re thinking about this boring stuff, you might as well:
- Take a moment to jot down some policies and processes around password sharing. The steps from this article are a good starting point (e.g. “Always use firstname.lastname@example.org for all accounts.”) Then elaborate on the details (e.g. “when creating a new account, generate a secure password of at least 12 characters and share it with the ED via LastPass”).
- Briefly run through these processes at your next staff meeting and help people set up their own LastPass account.
You did it!
Good work! You’ve secured your online accounts and ensured your team will have access as needed. You’re now in the top one percent of nonprofits in terms of password management (*my rough estimation, not an actual study).
You’ve saved your team—and future teams—countless headaches and ensure the ongoing security of your accounts. Now that you aren’t bogged down with that crap, you can get back to saving the world, or whatever your nonprofit is supposed to be doing right now.