Welcome to the joys of small non-profits! (Actually, they can be very rewarding. But they are a culture all their own, as you are discovering.)
Non-profits of all sizes are infamous for not fixing things until they are broken, often badly, because resources are always in high demand--time being as much a resource as money. They rely on personal relationships to streamline projects and processes, which works until it doesn't--the field's ongoing and serious problem with embezzlement being one result.
Since your director is relatively new and you have some technology cred, you might be successful with some facts and anecdotes (which I suggest presenting as "best practices" rather than any commentary on anything going on at your actual office--try your field's professional organization for suggestions.) You should be prepared for the fact that you might not be, especially if the office manager pushes back.
That doesn't mean there is nothing you can do! You can manage your own computer in a more secure manner...don't let your browser save passwords, change the passwords of the accounts you control (the social media) regularly, log into the social media accounts only when working on them, insist on changing your password quarterly, and regularly encourage your co-workers to change theirs too. If anyone asks you why, just smile and say that it's considered current best practices.
You can also break the problem into chunks. For instance, talk to your director about shifting over to expiring passwords and leave the office manager's access out of it for now. If everyone is changing passwords on a frequent basis, the office manager may not be as motivated to keep up with it all.
I also encourage anyone working in the non-profit field (or any field, really) to read the book Switch by Chip and Dan Heath. The topic of the book is getting people to change behavior when you don't have authority over them--I learned a lot that I use often!