Password security is constantly a delicate balance between creating policies strong enough to ensure the security of your network and policies that your staff will actually follow. Our consultants regularly get strong pushback when we institute stronger password policies, so we strive to find the right balance of security and practicality. To this end, here are some sample policies and tips that you can use today to start implementing some better security for your network and software.
Make strong passwords a policy that is clear and shared with all staff.
It is important to have a clear policy outlined regarding passwords and to share that with your staff. Many staff members will not realize the importance of passwords, but will improve their practices with some education. Here is a sample password policy that you can include in your HR manual or tech policies:
Sample Password Policy
It is important that the passwords that you use to access ORGANIZATION NAME's network, email, and other software meet minimum security requirements. Choosing a secure password is the first step to ensure that our network, resources, and data will be protected from misuse.
All passwords staff use to access ORGANIZATION NAME'S resources must meet these criteria:
- All passwords should be at least 8 characters long.
- Use both upper and lower case letters in your password.
- Include at least one special character (i.e. !@#$%^&*).
- Don't use dictionary words or keyboard patterns (i.e. "qwerty").
- Do not re-use passwords between sites.
In addition to making a policy like this available, include some education regarding your policies and the importance of passwords as part of your orientation for new employees. You may also consider providing information on passwords and general technology security as part of regular staff trainings and meetings to make sure that longer-term staff are informed of these issues as well.
Passwords need to be changed regularly.
Even if you use all the criteria listed out above, passwords still need to be changed regularly to protect yourself and your network. Most security experts advise changing passwords every 90 days. If you are having problems keeping staff using good passwords while changing them that frequently, speak with your IT staff/consultant for additional advice. They can help you evaluate the risk at your organization and help you create alternative plans to keep your network safe.
Use tools provided by your network and software to enforce your password policies.
In addition to sharing your written password policy, you can work with your tech staff/consultants to set up tools to enforce these policies. Organizations with a server on their network can set server policies to enforce your password policy for you - both setting your policies regarding complexity and forcing your users to change their passwords regularly. Cloud-based email and software will typically provide these tools as well. Check with your IT staff and/or consultants about what policies you have set on your network and software and to learn what options you have for changing them.
Consider software and options that make secure passwords easy.
Even if you prioritize just a handful of sites that require very secure passwords, it can still be a chore to remember truly secure passwords for each one. There are many articles online outlining methods of creating sufficiently complex passwords that people can also remember. One is the method outlined by writers at Lifehacker and another is outlined in this video by Google. While these may not be as secure as one that is randomly generated, it will still provide you with a good level of security, especially when they are changed regularly.
Another option is to use a password management tool to create randomly generated passwords for each site, leaving only one password to remember. This kind of method will provide you with a high level of security, but does have the drawback of having all of your password eggs in one basket - should you forget that one, you can be pretty stuck.
Avoid keeping your passwords written down, especially in obvious places like on a post-it under your keyboard. These paper records are gold for thieves who instantly know how to get into important files on the equipment they just stole.
Consider which staff needs access to what information.
While this isn't directly related to passwords, it's a good thing to consider while looking at your nonprofit's technology policies. Does every staff member need access to every bit of information in your CRM and every file on your server or shared drive? Probably not. By setting security policies limiting staff to only the information that they need to do their job, it limits the amount of data at risk should that staff member's login information become compromised.
I hope that these tips can help you start to implement some good security policies at your nonprofit, and start to educate your staff on good practices. I invite you to contact us or leave your thoughts or questions in the comments. What policies and/or procedures does your nonprofit have in place regarding passwords? How do you remember all of the different passwords that you use?
Additional Resource: The folks at Microsoft TechNet have their own advice on creating strong passwords, and they also reference a tool that individuals can use to rate the effectiveness of their current or prospective passwords.