Reevaluating Password Protection

Safeguard financial data and other sensitive information through effective password strategies.

Many churches have annual audits performed by CPA firms, often to satisfy the terms of building loans or to help demonstrate integrity in their finances to a watching world. Both are good reasons.

And these days, auditors are also paying attention to potential IT issues. This is part of their due diligence to see if things are being done correctly. However, many of those auditors do not have professional IT training or experience, but simply work through a series of scripted questions and record the responses.

Even so, through this process, CPAs have heightened everyone’s sense of appropriate IT security. Some things they brought attention to are very good, such as locked server rooms. However, on password strategies, they may have hurt us by recommending we change passwords every 90 days. The practice of changing passwords so often in churches actually lowers security! When employees or volunteers change passwords, they’re often written on Post-It® notes or taped on monitors and displays.

On March 2, 2016, the website operated by the Federal Trade Commission (FTC) published a post stating that policies requiring regular password changes were “less beneficial than previously thought, and sometimes even counterproductive.”

The post goes on to reference two studies that caused researchers to draw the conclusion that “frequent mandatory [password] expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely.”

What I recommend, instead, is the following password policy:

  • Passwords must be a minimum of seven characters and include uppercase and lowercase alpha characters, numbers, and common punctuation.
  • Passwords must never be shared with others, and they never expire. They will be replaced if a breach occurs.
  • Passwords can only be set by the IT department and are maintained in an encrypted file for reference.

This policy makes for easy-to-remember passwords since it accommodates most Bible verse references. It also helps to eliminate the Post-It® note issue. If people tell IT they need a new password because they shared it with someone, IT can give them a new one and update their documentation. If someone does that often, the situation should be referred to leadership for possible action.

This article is adapted from Nicholaou’s book Church IT: Using Information Technology for the Mission of the Church.

This content is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. "From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations." Due to the nature of the U.S. legal system, laws and regulations constantly change. The editors encourage readers to carefully search the site for all content related to the topic of interest and consult qualified local counsel to verify the status of specific statutes, laws, regulations, and precedential court holdings.

ajax-loader-largecaret-downcloseHamburger Menuicon_amazonApple PodcastsBio Iconicon_cards_grid_caretChild Abuse Reporting Laws by State IconChurchSalary Iconicon_facebookGoogle Podcastsicon_instagramLegal Library IconLegal Library Iconicon_linkedinLock IconMegaphone IconOnline Learning IconPodcast IconRecent Legal Developments IconRecommended Reading IconRSS IconSubmiticon_select-arrowSpotify IconAlaska State MapAlabama State MapArkansas State MapArizona State MapCalifornia State MapColorado State MapConnecticut State MapWashington DC State MapDelaware State MapFederal MapFlorida State MapGeorgia State MapHawaii State MapIowa State MapIdaho State MapIllinois State MapIndiana State MapKansas State MapKentucky State MapLouisiana State MapMassachusetts State MapMaryland State MapMaine State MapMichigan State MapMinnesota State MapMissouri State MapMississippi State MapMontana State MapMulti State MapNorth Carolina State MapNorth Dakota State MapNebraska State MapNew Hampshire State MapNew Jersey State MapNew Mexico IconNevada State MapNew York State MapOhio State MapOklahoma State MapOregon State MapPennsylvania State MapRhode Island State MapSouth Carolina State MapSouth Dakota State MapTennessee State MapTexas State MapUtah State MapVirginia State MapVermont State MapWashington State MapWisconsin State MapWest Virginia State MapWyoming State IconShopping Cart IconTax Calendar Iconicon_twitteryoutubepauseplay