Passwords and Security for Associations
Most people agree, passwords sent via postal mail is a bad idea. Think about it this way, would you like your Social Security number mailed to you in the mail? Just think of how that silly number is the gateway to all of your most safeguarded secrets (i.e. your bank account, your net worth, your hospital records, etc..). If a password is compromised, someone can use it to gain very vital information on almost any site. The end result could be some of this information being compromised.
Yes, the fact is that a LOT of people use the same passwords for many, many things (myself included). Here is a thought:
- Have different levels of passwords
- easy level (i.e. cat ) for stuff I don't care about generate something boring
- med level (i.e. cat12%7# ) – for moderately important stuff generate something meaningful with some numbers and characters
- difficult level (i.e Vidh4(87!90dc@0dc ) – for things that are vital to keep secure generate something totally wacky and random that is even difficult for you to remember
I suggest this level of security for others too, but the truth is that everybody doesn't want to even remember 3 passwords, let alone a few hundred for every site they are registered for.
In software applications passwords should not be visible to anybody! Not even administrators. Any good software or developer will have a password system that is automatically resets a password for users if they have forgotten their own. This type of system is setup like this so nobody can retrieve your password. Therefore if it is lost or forgotten, it must be recreated.
Another thing that is very, very, very, very BAD is sending passwords via e-mail. E-mail is probably a billion (that's a lot!!) times less secure than sending it via postal mail. The reason is because all e-mails that are sent back and forth are not encrypted. Anything that travels across the internet that is not encrypted can be sniffed out by people "watching". This is why when you submit credit card information, it uses a secure socket and a certificate. Just so the site can encrypt those numbers for you. Believe me, "watching" information travel back and forth from one person to another is not very difficult to do. So please don't send passwords, credit card information, or social security numbers over e-mail. Otherwise you will get your identity stolen or maybe you'll be lucky and it will just be your credit card number; neither of which is fun.
So when you purchase your next system (or update the existing one) make sure your developers/resellers are storing passwords securely (encrypted) and NOT e-mailing them to members or staff.
*Modified post from a question submitted to the ASAE Listserv