Student Passwords in K-12: Learn How To Do This Better
The more conversations that I have with school districts, the more this subject comes up. Everyone is dealing with Cyber Security related issues. They are having to write policies if they don’t have them and implement them once they do. This primarily involves staff and forcing two-factor authentication (2FA) for everything that may contain sensitive information.
Thankfully, more and more people in charge of technology at K12 schools are starting to ask themselves. If we are teaching our staff how to be better digital citizens by securing their online accounts better, why aren’t we teaching our students better? For many districts, but certainly not all, we are actually teaching students BAD behavior. We are setting passwords based on a pattern that everyone knows and not allowing them to change it.
I understand from a practical standpoint that there are benefits to being able to login as a particular student to troubleshoot a reported problem with that student’s account. I think that the value of this is trumped by the negatives that come from this practice.
The student has an easy out if they are ever accused of doing something inappropriate online. “All of my teachers know my password; you can’t possibly be sure that I did that” is a very reasonable defense.
It opens opportunities for bullying or abuse from other students. If I really don’t like another student, I can login as them and delete the homework that is due tomorrow.
It doesn’t teach a student that their password is personal and that they are the only person that should know it.
It doesn’t teach the very normal life skill of changing passwords at least occasionally and having a way to remember them.
It teaches the opposite of good behavior by having every one of their online accounts use the same password. (I do also understand what a nightmare this would be for every single teacher, so this one probably must wait until after they graduate)
There are two different ways to improve this situation. Each of them has its benefits and some drawbacks. We will dig more deeply into each of these:
Creating more complex passwords when we create a student account.
This can teach better passwords. Staff can still know the password if needed for troubleshooting. It may reduce the opportunity for abuse from other students, but if it is based on a pattern of data, this can still be figured out. Random words can be used or even multiple random words to make a much better password. (this creates a different logistical problem that we have solved very elegantly)
If this is based on a pattern, students will eventually figure out each other’s passwords. It doesn’t teach the student that this is personal and that they are the only ones that should know their password.
Having students manage their own passwords.
This can be used as a tool to teach better passwords. Nobody knows a student’s password unless they share it themselves. This teaches personal accountability. You can have more confidence that if something inappropriate was done with the account, it was the student that did it themselves.
Students will forget their password. Teachers need a way to address forgotten passwords in a way that is not disruptive to the classroom, but also allows the student to have the issue resolved quickly so that they can participate in the scheduled activity. Students can abuse this by changing their password and then claiming that they don’t know it.
A solution from Student Provisioning Services
If these challenges resonate with you and you want to explore a solution that addresses all of them, please reach out and find out how we make this simple and easy for you, teachers and students.