Its 10 am, do you know where your organization's log ins are?
I'll tell you where they shouldn't be - living in the heads and on the hard drives and post it notes of various disconnected staffers.
If you are from a large organization with crackerjack IT personnel or have the capacity to create permission based information access on an intranet or internal file system, then this post probably isn't for you. You can take the time you would spend reading it to have a snack or maybe make sure everyone's log in information is up to date.
Lots of small and even medium sized organizations, however, tend to grow their software and online systems organically. Often this includes utilizing multiple contractors or volunteers - and this can lead to information organization breakdown. This is especially true if the majority of the staffers aren't too technically oriented and responsibilities are widely spread out.
As a consultant for these types of organizations, often one of the first tasks I face is hunting down and listing out all the various pieces of a group's online efforts. Then it becomes a matter of trying to see what they have in there and how things are set up. But who has the log in to your Google analytics? Or to the photo gallery management database? Sometimes I receive a repeatedly forwarded email, which serves as the only record of the account.
I realize this post is going to trigger serious security concerns for some IT managers and that some passwords are so sensitive they should not be written down. However, I still see far more danger in the confusion that regularly exists in a lot of nonprofits and which leads to things like the reckless forwarding of PayPal account information in an email. Not all organizations can realistically implement and track the ideal security and protocols that experts recommend, but not having any system at all is in my mind far worse. So I still recommend naming a known responsible party that is the keeper of "the list" and setting one up. If a password is super critical you can always put "Ask Bob for password" in that field and still have a better grasp on where to find your information.
What to round up
Every organization with a web site should have a master list or system with main account and log in for each web site, software or tool you use. Who should create and maintain this differs from organization to organization, but someone should have this information at their finger tips, whether that is a senior staff member or the Executive Director.
If you have the time and capacity to do more, you can tier your log in information based on security concerns and set up a distribution policy related to each tier.
You can also expand this idea to internal programs and systems, but in terms of online activities you might need quick and easy access to accounts like these:
Create a simple locked (offline) spreadsheet: I find that for many groups all that is really possible or needed is a secure spreadsheet that organizes and shows a list of the relevant information. To give you an idea of what this might look like, I have provided an example spreadsheet of what I have found useful that you can use as a template.
Since this information is sensitive I recommend that it be locked with a password that is easy to remember internally but not likely to be guessed by anyone else. One of my clients uses the first letters of each word in their tagline, for example. And obviously access to this file should be controlled and only given to appropriate and trusted people. Some organizations only keep this in printed form in a locked location for extra security.
Use a password keeper program - This method can be easier and more secure but will take a little more effort and organization to get set up. Using the program features and keychains that come with your operating system is not what I am talking about here - there are free and low cost professional programs available that are meant for this very task that are far safer and more suitable.
Although I haven't tried it personally the KeePass program seems to be the most widely recommended. If you have a program you use that you love (or hate) please leave it in the comments and share your thoughts.
KeePass is a free open source password manager, where you can put all your passwords in one database, which is locked with one master key or a key file.
You can find a handy guide on setting this up from LifeHacker:
http://tinyurl.com/h5btr
For more program options and information there are great ideas and tips at TechSoup forums on this topic:
http://tinyurl.com/3wgh8d
I still recommend starting off by compiling the list above (with or without actual passwords) until you are sure you know what all needs a log in because its such a great way to get an overview of your activities and spot redundancy.
Some thoughts on wrangling
Especially if you are about to undertake a redesign or change your site software its a good time to gather in all your logins and passwords. Doing so can serve as a neat little auditing list - some of the tools you already have access to might even surprise you.
And your consultants will thank you.
If you are from a large organization with crackerjack IT personnel or have the capacity to create permission based information access on an intranet or internal file system, then this post probably isn't for you. You can take the time you would spend reading it to have a snack or maybe make sure everyone's log in information is up to date.
Lots of small and even medium sized organizations, however, tend to grow their software and online systems organically. Often this includes utilizing multiple contractors or volunteers - and this can lead to information organization breakdown. This is especially true if the majority of the staffers aren't too technically oriented and responsibilities are widely spread out.
As a consultant for these types of organizations, often one of the first tasks I face is hunting down and listing out all the various pieces of a group's online efforts. Then it becomes a matter of trying to see what they have in there and how things are set up. But who has the log in to your Google analytics? Or to the photo gallery management database? Sometimes I receive a repeatedly forwarded email, which serves as the only record of the account.
I realize this post is going to trigger serious security concerns for some IT managers and that some passwords are so sensitive they should not be written down. However, I still see far more danger in the confusion that regularly exists in a lot of nonprofits and which leads to things like the reckless forwarding of PayPal account information in an email. Not all organizations can realistically implement and track the ideal security and protocols that experts recommend, but not having any system at all is in my mind far worse. So I still recommend naming a known responsible party that is the keeper of "the list" and setting one up. If a password is super critical you can always put "Ask Bob for password" in that field and still have a better grasp on where to find your information.
What to round up
Every organization with a web site should have a master list or system with main account and log in for each web site, software or tool you use. Who should create and maintain this differs from organization to organization, but someone should have this information at their finger tips, whether that is a senior staff member or the Executive Director.
If you have the time and capacity to do more, you can tier your log in information based on security concerns and set up a distribution policy related to each tier.
You can also expand this idea to internal programs and systems, but in terms of online activities you might need quick and easy access to accounts like these:
- Server/Hosting - customer service
- FTP/file transfer
- Email - both Bulk Sender and Internal
- Web Site - CMS system
- Online Donations
- CRM
- Advocacy tools
- Additional Tools Like Surveys, Learning Management Systems etc.
- Database Management
- Google Account - Analytics, Maps, And Apps
- Other Web Statistics/Analytics
- Media & Social Network Sites (Flickr, You Tube, Facebook, Myspace)
- Blogs
- Conference Calling and Presentation Software sites
- You Get The Idea...
Create a simple locked (offline) spreadsheet: I find that for many groups all that is really possible or needed is a secure spreadsheet that organizes and shows a list of the relevant information. To give you an idea of what this might look like, I have provided an example spreadsheet of what I have found useful that you can use as a template.
Since this information is sensitive I recommend that it be locked with a password that is easy to remember internally but not likely to be guessed by anyone else. One of my clients uses the first letters of each word in their tagline, for example. And obviously access to this file should be controlled and only given to appropriate and trusted people. Some organizations only keep this in printed form in a locked location for extra security.
Use a password keeper program - This method can be easier and more secure but will take a little more effort and organization to get set up. Using the program features and keychains that come with your operating system is not what I am talking about here - there are free and low cost professional programs available that are meant for this very task that are far safer and more suitable.
Although I haven't tried it personally the KeePass program seems to be the most widely recommended. If you have a program you use that you love (or hate) please leave it in the comments and share your thoughts.
KeePass is a free open source password manager, where you can put all your passwords in one database, which is locked with one master key or a key file.
You can find a handy guide on setting this up from LifeHacker:
http://tinyurl.com/h5btr
For more program options and information there are great ideas and tips at TechSoup forums on this topic:
http://tinyurl.com/3wgh8d
I still recommend starting off by compiling the list above (with or without actual passwords) until you are sure you know what all needs a log in because its such a great way to get an overview of your activities and spot redundancy.
Some thoughts on wrangling
- The organization should designate the official log in to be used when the account name is visible or used as a profile
- Each staff user should have their own log in when possible for admin tasks and not share or use the account administrators main password
- Helps with security when you experience turn over
- Help them keep track by providing staffers with your template to use
- Its also handy to set up user/pass convention for organization log ins
- Designate the keeper(s) of the main login sheet or system and make sure everyone knows who that is.
- Update the info on your sheet or program whenever it changes
- Have a system to circulate the appropriate log in information to everyone that needs it
Especially if you are about to undertake a redesign or change your site software its a good time to gather in all your logins and passwords. Doing so can serve as a neat little auditing list - some of the tools you already have access to might even surprise you.
And your consultants will thank you.
Subscribe to This Blog
Recent blog posts
- Is Facebook Good for Fundraising?
- Best of the Web
- The DIY Donor Management Software Selection Process
- New Article Launch: Constituent Relationship Management Systems
- AskIdealware: How Do I Draw On A Computer?
- Thoughts on NTC 2012
- Idealware is Hiring Researchers!
- Social Media and "Jock Talk"
- We're All Snowflakes: Knowing When To Be Unique
- Reliability of Resources: The 2012 Field Guide to Software for Nonprofits
Monthly archive
- May 2012 (5)
- April 2012 (12)
- March 2012 (6)
- February 2012 (3)
- January 2012 (8)
- December 2011 (4)
- November 2011 (4)
- October 2011 (8)
- September 2011 (10)
- August 2011 (10)
Comments
Heather, This is great,
Heather,
This is great, thanks - people really need to see this. I'd echo and emphasize Peter's point - the registration info is actually one of the most difficult to deal with if they've lost the passwords, and the email addresses in the contact info are no longer accessible, etc.
Sometimes, especially in smaller orgs, the ED's cousin's sister's friend registered the domain and did the website five years ago, and who knows where the registration info is when it comes time to do a professional redesign! It's scary how often I find this has happened.
Good point Peter - they are
Good point Peter - they are separate line items in the sheet but I should have made those separate bullet items. Actually, I ran into this very issue on a personal project, thinking I had transferred registration to my hosting company 3 years ago, when oops, no I hadn't.
Heather, great post, and
Heather, great post, and important. I'd flesh out a little one of your early bullets: an organization's web site is comprised of (at least) two things - the registration for your domain, and the hosting service. These might be the same provider, but be sure that you have login information for both. Since web site development is frequently outsourced, this is a particularly easy set of passwords to lose track of.