Managing Passwords for Your Nonprofit's Online Accounts

Group Using Technology

Nonprofits and community groups need to use more online services like Facebook, Twitter, email, and others more than ever. How do you make sure you keep your passwords safe?

Don't forget, Drover is offering technical help sessions to community groups and nonprofits trying to get their technology sorted out while more of life is taking place online. If you have questions about security or any other topic, email for help!

I was recently contacted by a community group I used to lead asking if I remembered the group’s Twitter login info. I could still remember the password (in order to avoid confusion I had used the same one for all of the group’s accounts. I’ll explain below why that’s a bad idea.), but when trying to provide the recovery email address I was lost. The current chairperson of the group was lost. And so, the group’s Twitter account seemed lost.

With everything officers or other volunteers have to take care of, this stuff might not seem quite as important. But think about it -- do you really want someone who hacks one of your accounts to gain access to all of your online accounts? For an organization it could have major consequences, and they don't even need to come from outside the organization. If one bad actor has account access when they shouldn’t, they could compromise your membership info or do serious PR damage. It's impossible to be 100% safe online, but there are several steps you can take to help decrease your risk.

Thankfully there are password managers out there that can simplify organizing it all. Plenty of people have explained why they’re a good idea for personal use, but for nonprofits and community groups the reasons are the same. They can generate strong, individual passwords for various sites, keep usernames and passwords secure and easy to access, and provide encrypted storage for documents.

Options for Setting it Up

For the purposes of this post, we’re going to focus on two of the best-known password managers, LastPass and 1Password. They’re roughly similar and are both highly-rated.

The first thing you need to consider is how many people are going to need access. If only one or two people need access to everything, the easiest option is to simply create a separate account for the organization. You can keep everything there and when it’s time to pass on the information all you have to do is share the login credentials for the password manager account (make sure you don't lose it!). If you already use a password manager yourself, this might also involve using a different browser for the group, but that's also a way to keep things separate from your personal accounts, anyway.

If you have 3-6 people who need access to various accounts, for approximately $50/year both LastPass and 1Password offer family accounts. These make it easy to manage exactly who has access to what, and everyone can use their own personal account (at least for 1Password. LastPass won’t let you change family owner, so a separate master account that can be passed on might still be a good idea).

Whichever setup you have, it’s worth taking the time to make sure everything about an account is saved in the password manager. You never know who will need access to information like security questions, backup emails or phone numbers, or other security measures. That’s what tripped us up. I could still remember the password, but who really remembers the email address used as a backup 8 years after the fact, especially if it isn’t one of your personal addresses?

The Annual Audit

So you took the effort to set up a password management system for your organization -- great job! You’ve put in a large part of the work, now it’s time for the maintenance.

The best thing you can do now is set a calendar reminder to do an audit of your accounts once a year. If your organization has annual elections that’s the easiest time to do it, but the two don’t necessarily have to be linked. The important thing is to go through all the accounts and make sure the right people still have access to the login info and remove anyone who shouldn’t anymore. This also goes for sites such as Facebook Groups and Meetup that don’t necessarily have login information you need but instead have a list of admins. Check it all.

An annual audit of online accounts is also a good opportunity to change passwords. If you haven't changed passwords in a while, people might still have the login info saved in their browsers or password managers. When it comes to internet security, it is always better to be safe than sorry.

Keeping your information secure is good for both your organization and your members and can save you from headaches later on. Well, as I learned they might not necessarily save you from headaches, but the poor chairperson elected years after you. You spend years and put in lots of hard work to collect email addresses and gain followers. Keep that information safe and save yourself the heartbreak of having to start from scratch by taking precautions.