Recommendations for Password Management

[mattvchandler]

I was recently called as STS, and on my first visit to the Stake Clerk's office, I noticed a list of zoom account passwords posted above the clerk computer, and a sticky note on the computer itself with the windows acct password. I've seen similar lists on the other clerk computers around the stake.
I know some of the users of these computers aren't the most tech literate, and I don't want to add additional hurdles for them, but easily visible password lists are a major security problem in my opinion.
Firstly, does the church provide or recommend any password management software? My work uses Keeper, and I think something like that, or another shared pw repository with per-user access controls, would work well for us.
Is there any church policy on password management that I could point my users towards as a justification for this change?

[russellhltn]

I have not seen any.

If it were me, if suggest the clerks move the password out of view to someplace more hidden from casual observation. Enlist the support of the stake clerk as needed.

[BrianEdwards]

Like many others, I've been in church buildings where the clerk's office remains open and unattended for long periods of time on Sundays, so I understand your concerns. Regarding zoom account passwords, my experience is that they are often shared via email with others, which is an inherently open-door policy for re-sharing without leader knowledge. There's nothing sensitive about a church Zoom account, although having random members accessing the Zoom account wouldn't be what's desired.

And I don't know what sensitive data is stored on a clerk's computer that does not require a leader login. GHB 33.9.1.2 "Shared Computers and Data Storage" indicates that simply logging onto a clerk's computer shouldn't provide access to unauthorized information.

I fully support better password privacy practices to protect church accounts, just thinking out loud about this specific scenario.

[sbradshaw]

At a minimum, I would request that the clerks move the passwords list to a drawer or file cabinet (preferably locked). They can be accessed when needed, without being visible to anyone who wanders by.

[djatropine]

have you ever looked into a combination of tomb file encryption & keepassxc ?

[jcbrown00]

Remember that any password manager program (you pick the brand...) is always tied to some sort of central "knowledge" linked to an account to access the passwords being managed - a master key, if you will. This knowledge has to survive your time as STS. Passing the master key to another person isn't always clean, since whoever has the key may not be available to pass it along. In other words, probably not advisable...

Therefore, a sticky note in a desk, is not much worse. A unit with lots of free access to the clerk's office should seriously reconsider their physical security and access policy! A locked door with trusted access to only those with a need-to-access is one of the layers of security around our computers. Please take it seriously.