This is a updated version of a post from my personal blog. This situation came up with a client last week and I realized that this reminder is still relevant. Yes, people (and associations) lose passwords.
My kids constantly lose things. Toys, books, jackets, etc. Thankfully for password managers the one thing they don’t lose access to is their Club Penguin and Minecraft accounts.
If only the same could be said for all association staff members managing websites and web-based accounts on behalf of their organizations.
Here’s a real life example. I have a client who lost the password to one of their critical web-based tools. They tried everything they could think of to remember the username and password and got locked out after too many unsuccessful login attempts.
They contacted customer support who promptly e-mailed password recovery options to the e-mail address on record when the account went was established.
However, that e-mail address was the personal email address of an employee who hasn’t worked at the organization in over a year. That employee and their e-mail box is gone. No password recovery. (insert sad sound effect here)
(Note: An added level of complexity is if you have configured two-step authentication and the only phone on record is that former employee's mobile phone.)
That screeching sound you just heard was the brakes being on all the work they need to do in that online tool while the mess gets sorted out.
There has been much written about not letting interns set up your social media accounts or the fact that Facebook used to allow eternal admin rights to a page creator regardless of that person’s affiliation with the organization or page (which has thankfully been changed).
But here’s another thing to consider when having your team set-up these accounts – people leave jobs.
Even trusted, valuable, loyal people.
Your webmaster or marketing director who set up your Google Analytics, YouTube, Flickr, Facebook, LinkedIn pages and controls your online presence may call you tomorrow to tell you they won the lottery and won’t be coming in. Or you might have layoffs and your HR policy requires you immediately lock that person out of their systems access.
(FYI, I also don't recommend connecting accounts to a vendor's email address or letting them have sole access. We had a client who only had access to their google analytics through a previous vendor's login. We had to create a new Google analytics account and they lost all historical data.)
Here’s where internet policy and web governance is critical.
First, when managing the website and online tools, create a generic e-mail box that system administrators can always have ready access to – something like a firstname.lastname@example.org. Make sure that this is the primary e-mail address associated with those accounts. Also, make sure to add to your internet usage policies that staff may not set-up accounts for critical business tools under their personal e-mails.
Next, go back and look at all your accounts. What’s the primary e-mail associated with that account. Change them all to your master generic account. If you want to segment access and allow staff access to specific web-based tools, buy additional licenses or set them up as secondary users.
As for that client in this situation? Everything worked out fine. Through a friend of a friend we eventually reset that password so they had access and continued their efforts. But it stalled their work and took a couple of weeks to sort out.
The bottom line is that access and ownership of an association's website and marketing systems need to be managed by the organization with an eye on the future. Make sure to plan for staff changes and email changes.
With good policies, infrastructure, foresight and planning these messes can be avoided.
Photo Credit: Flickr, ~Brenda-Starr~