Tuesday, July 27, 2010

Volunteer Management Software Security (or lack thereof)

At each of the last two volunteer management conferences I have been at there has been another new volunteer software vendor. Upon looking into each of these packages I found something quite frightening.

Both software systems let a user’s password sit exposed on the user’s profile page. While this might appear to be convenient for the volunteer, it represents a security vulnerably that cannot be overstated. If it gets displayed on the page then it can be read directly from the database. In one of the two systems the page was not even using SSL (the encryption technology that should be used when sending private information over the internet). This means that the password (along with anything else) could be intercepted in transmission. Even with SSL in place passwords should be encrypted while stored on the database. This ensures that even if other security measures should fail, the passwords (which are often the same passwords used for other sites such as banking) are protected. It is not that the other systems are prone to failure but good security looks to protect from more than one angle.

If you are looking at new volunteer management software, be certain that SSL encryption and password encryption to your “must have” list.