In my experience, employees of Church institutions are just as bad, if not worse than employees anywhere else.[1] I’ve seen passwords on Post-It notes on desks, passwords that were first names, passwords that are names of the parish or town or address or phone number or zip code or a combination. I’ve seen user accounts for databases, web sites, and even donor databases shared by multiple individuals, including volunteers who come and go. And then there are the passwords that are used every place: web site login, the secretary’s email, and the Quickbooks database, not to mention someone’s personal Facebook profile so that if the password is compromised in one place, it’s compromised everywhere.
So what’s the problem? Disgruntled employees, nosy neighbors, cyber crooks are just a few of the potential problems. They could delete donor/parishioner records or snoop into confidential files. If a parish uses online giving or online religious education registration, then it even exposes parishioner credit card and other financial information.
But a solution to this problem is readily available for almost any situation. The place to begin is with password management software. There are several good choices, but my preference is 1Password from AgileBits Software, which is available for Mac, Windows, iOS and Android. The concept behind 1Password is simple: The software has hooks in your web browser and when it detects you are at a password creation screen, it offers to generate a password for you that can be more than 20 characters long, using numbers, letters, and symbols for maximum security. Of course, you’re not going to remember that password off the top of your head, so 1Password saves it in its database, and then for every single place you need a password, you can generate a unique and very secure password because you don’t have to keep track of it. When you need that password to login again later, you activate 1Password in your browser and it fills in the username and password automatically.
And when you’re done with your logins, you lock up 1Password and then you only have to remember the one password that unlocks it again, hence the name “1 password.” Even better, that one password is doubly secure because it never travels over the Internet to lock or unlock anything, just the software on your computer. And if one of your passwords is compromised, only the password for that site will need to be changed because you have created unique passwords for every site. 1Password also has a feature called Vaults, which allow you to share parts of your secure password database with a co-worker or the boss, for example, without exposing all your passwords.
Like I said, this is just one password manager. There are others that work just as well with different features and different models of security, like LastPass and Dashlane, to name two.
I think that secure password management is so vital to good stewardship of parishes and ministries that the cost of a password management utility should just be considered the cost of buying a computer. In this day and age, password management is a part of basic computer skills.
Likewise, good password management software is useless if there aren’t strong workplace policies to back them up. Employees and volunteers alike have to know that they have a duty to secure the virtual front doors and back doors of the Church that is just as real as the duty to lock the doors of the offices. We wouldn’t put the weekly collection in the top drawer of the secretary’s desk in an unlocked office, but that’s what we’re doing in a virtual sense when we use bad and insecure passwords.
For thousands of years the Church has safeguarded the patrimony entrusted to her, whether the world’s great artworks or the sins entrusted to her in the Sacrament of Confession. In that spirit, we should continue to safeguard the more mundane business affairs of the Church and her people as well. An essential ingredient in those best practices is good password management.
Update: Allison Sheridan of the NosillaCast podcast made a video with a good, simplified explanation of the importance of strong unique passwords. If you think your password system is good enough, then watch this video to see why you need to step up your game:
Meanwhile, the Naked Security blog at Sophos.com offers some more information about password practices and how insecure we all really are.
According to a new report from password manager and digital wallet company Dashlane, a survey of 3000 people, evenly distributed between the US, the UK and France, found that 53% of US respondents have shared a password with a colleague.
The younger the employee, the more likely they are to think that the sharing economy includes passwords: 67% of respondents aged 16-24 said they've shared passwords; it drops to a still-dismal 59% in the age bracket of 25-34, 52% with 35-44-year-olds, and a still quite lame-o 46% of those 45-54.
That's just one of several sobering studies they quote. I suggest you read it all and then take action.
Update 2: 1Password has become an even better tool for password management now that they offer 1Password for Teams as well as 1Password for Families. Considering all that you get bundled in, it's a great deal.
- In this, I am not speaking of my current employer, the Catholic parishes of Walpole, Mass. where we are implementing better password policies than most. ↩
