July - August 2018

Written by Mark Evilsizor
From his column Church Tech

There is a problem in the church, and it’s time we talked about it—the password file. When I have worked with organizations on security issues, I have often discovered the keys to the kingdom saved as an ordinary file, usually a spreadsheet, in a location where staff can access it. I understand the need. Even the smallest organization can have 100 or more passwords which are important and need to be shared by multiple employees. For example, if only one person has access to the credentials for the church website, and that individual goes on vacation, it might be difficult to get the word out about rescheduling the annual picnic due to the big lemonade coolers being used at Sally’s wedding.

Some organizations do set a password on the password file, but these are not very secure. A quick search provides a handful of easy ways to bypass this screen door security, and these tools work very well. This means anyone who gets onto your church network, perhaps an intern, perhaps a disgruntled parishioner via the insecure media PC in the sanctuary, needs only find this one file, password.xlsx, or keys.xlsx. They can then access everything. This may include communications, giving records, bank accounts, counseling logs, etc. In short, someone could do a lot of damage if they want to.

It is time to find a better option, a password keeper. There are several good tools to assist with this. Let’s take a look at the essential features needed for any solution you choose.

First, it must be convenient to use. If not, you will have a hard time convincing other staff to embrace it. Many of the leading options have free versions you can try before you buy, and that would be a good way to see if it works for your organization. Convenience can be evaluated by how easy it is to create new credential records and use them. A good solution integrates with your browser and, as you log into systems, offers one-click memorization of credentials. Once created, it should default these credentials into the site automatically when you visit it again. It should also allow for manual entry of credentials to serve as a vault for resources which are not accessed via the browser.

Even the smallest organization can have 100 or more passwords which are important and which need to be shared by multiple employees.

One convenient feature is the ability to access your credentials wherever you are. This means the solution should have an app. With an app, if you are on the road and need to access your church's social media accounts or other resources, you can easily log in by referencing your organizational credentials.

Second, a good solution should facilitate easy sharing. It should be possible to gather credential records into sets of different groups of people who can access them. Those with only social media responsibilities need to access Facebook and Twitter, but not the worship order planning system. The system should also facilitate keeping credentials which are not shared, but are accessible only to an individual staff member. For example, counseling records may only be accessible to the counselor.

Third, security features are important to consider as well. A good solution features multi-factor authentication (MFA). This added layer of verification, which sends the user an access code via text or email, prevents someone with bad intentions from accessing your credential vault even if they do gain your username and password. You may want to require that accounts with full access be required to turn on MFA. An MFA that balances security and convenience usually only requires the second factor on a new PC/browser combination and perhaps once every 30 days after that.

You also need to decide whether or not the administrator of the password keeper should have access to all records. The two systems I have used provided mechanisms for individuals to have passwords which even the administrator could not access. This ensured the controller that a rogue IT person would not be able to access wire transfer credentials. It’s also worth taking time to understand the security model, i.e., are the encrypted passwords stored on a website, on the network server, on each staff person’s PC? Understanding this information will help you to plan ahead for possible scenarios, like a breach at the company that created the system, or what the response should be if a particular computer crashes or becomes unavailable.

There are a number of password keepers on the market. Some of the more popular ones are: LastPass, Dashlane, ManageEngine, and Keeper. Each of these offers a downloadable trial version.

Passwords are a part of life, even in the church. Properly protecting your organization’s passwords might be one of the easiest and least expensive steps you can take toward improving your security posture and honoring your parishioners by keeping their information safe.

Mark Evilsizor has worked in Information Technology for more than 20 years. He currently serves as head of IT for the Linda Hall Library in Kansas City, Mo. Views and opinions expressed are strictly his own.