Set Better Student Password Generation Guidelines: Here's How to Do It

Increasingly, school districts are reporting pushback from auditors regarding the rules used for generating passwords for the student population.

Why you ask?

Because experienced auditors are rightly concerned about predictable passwords, creating opportunity for misbehaving students to wreak havoc on others’ accounts, potentially even with legal consequences for students or administrators.  This can quickly become a massive problem. 

In this post, I am going to show you a few ideas and tips on how to set stringer guidelines for how you and your district create your student passwords.

Examples of Password Hacks by Students

For example, for a password pattern comprising a student’s first and last name, followed by their birthday, is easily guessable by anyone who knows those 3 things about the student. 

It can be made even worse by using something as simple as the student ID as the password.  I know of a district that used this and then stored this value in an attribute in Active Directory.  A more resourceful student used a simple LDAP browser to download a list of every students username, email address and password.  This isn't even a "hack" because the information was made readily available to anyone that was looking in the right place.

Choosing a Stronger Password

An alternative employed by some is to allow students to choose their own passwords after first logging in using a default password generated from a predictable pattern.

However, this approach invariably leads to other problems. If the district sets password complexity requirements to recommended levels, students will be forced to create a password they are less likely to remember, leading to loss of instruction time as IT staff (or teachers, if the district is using K12 Services, or another provisioning system allows teachers this capability) respond to password reset requests, particularly from younger students.

On the other hand, if the district lowers the bar on password length or complexity, students will gravitate towards creating passwords that are easy to guess, easy to hack, or both.

So what can be done? K12 Services has designed a specification in conjunction with teachers, linguists, and security researchers from Lithik Systems, a provider of IT security software for K-12 districts as well as organizations in other regulated industries such as banking and healthcare. The specification successfully overcomes the challenges listed above and is made publicly available thanks to K12 Services’ belief in the power of shared knowledge.

The specification is as follows:

• jSmith0414.OTTER

Or, in variable terminology:

• {lowercase first initial}
• {Title Case Last Name}
• {birth month}
• {birth date}
• {literal "." character}
• {UPPERCASE RANDOM WORD}

At first glance this pattern may not seem worth the hype, but it is important to note the way it checks each of the critical boxes for a password pattern that is hard to hack, hard to guess, and easy to remember.

First of all, given its length and variety of character types (uppercase, lowercase, numbers, and special characters), this would not be an easy password to hack. It’s unlikely to appear in even the most extensive lists of passwords (called rainbow tables) a hacker would use if he were trying to breach a student’s account, even for a student with a common name.

Second, thanks to the inclusion of a random word, this password would not be easy for another student to guess, even knowing the name and birthday of the accountholder. It’s worth noting that some proponents of random word inclusion have suggested using multiple random words, but the specification proposed above intentionally avoids that formula due to the possibility of inadvertently generating an offensive phrase even from a clean list of words. (It should not be difficult to imagine how innocent words such as “banana” and “hammock” could be accidentally juxtaposed to inappropriate effect, and there are thousands more obscure possibilities.)

Finally, because the password contains only one random word, and is otherwise derived from personal biodata about the student it belongs to, it would not likely prove difficult to remember, even for younger students. This point is particularly strong if the list of words is curated by a linguist to include an abundance of easy-to-spell words that associate strongly with a mental image (such as “tiger”, and as opposed to “aspect”).

If desired, the random word could even be limited to a certain number of letters depending on the grade of the student. One important caveat is that the word for each student should be chosen predictably by software in such a way that it does not need to be stored in a server where a hacker could obtain it, but also does not change to a new word if the student forgets their password and must have it reset. A student whose password changes every time it is reset is not likely to internalize the password over time, and will continually require new passwords to be generated, frustrating the student and detracting from instructional time.

Surrounding random words will require the use of an advanced provisioning system.  If your district does not have this in place, you can find out more about how we help districts tackle this challenge through our own software. Feel free to schedule a software demo with me and I'll show you how it works.