Web3 Impact Toolkit

The single biggest control you have

In most NGO incidents, the attacker did not "break in" — they logged in. Stolen, reused or guessed credentials remain the dominant root cause of compromise. Getting authentication right is the single highest-leverage thing you can do.

Passwords: what actually matters

•Length over complexity. A 16+ character random password beats "P@ssw0rd1" by many orders of magnitude.

•Unique per service. Reuse turns one breach into many.

•Never typed twice from memory. Use a password manager.

Password managers for teams

A team password manager (Bitwarden, 1Password, Proton Pass and similar) generates unique random passwords per service, syncs across devices, and lets you share specific credentials with specific people. When a staff member leaves, you revoke their access in one place.

•Pick one tool and use it for the whole organization.

•Protect the manager itself with a strong master password and 2FA.

•Never store wallet seed phrases inside the password manager.

Two-factor authentication (2FA / MFA)

2FA means proving who you are with something you know (password) AND something you have (a key, an app, a device). Not all 2FA is equal.

•Best: hardware security keys (YubiKey, SoloKey) using FIDO2 / WebAuthn. Phishing-resistant by design.

•Good: authenticator apps (Aegis, Raivo, 1Password, Authy without cloud sync).

•Weak: SMS codes — vulnerable to SIM swap. Use only if nothing else is available.

•Avoid: "security questions" as a real factor; treat them as additional passwords.

Where to apply strongest 2FA first

•Primary work email (it controls password resets for everything else).

•Password manager.

•Finance accounts, exchanges, treasury tools.

•Admin consoles for cloud / hosting / domains.

•Social media accounts used in advocacy.

Practical rule of thumb: if losing this account would seriously hurt the organization, it deserves a hardware key.

Joiners, movers, leavers