The Great Password Dilemma

We have all had to deal with student password issues. Although we are not all security professionals, we know that we should be doing all we can to make our environments more secure. We also need to teach students sound principles and demonstrate exemplary practices so that they grow into responsible adults. One of the challenges is that the typical classroom teacher is working with 25 or more students. Add to that the keyboard challenges that “the littles” face, and it gets even more problematic. Fortunately, companies like Clever and GG4L offer badge solutions to help solve this problem, even for the youngest of students. But those solutions don’t cover every situation, and applying best practices in password management is still up to us. 

There are five principles that are in tension with each other revolving around this problem. Each district must decide which way to lean against these. Here are some general guidelines to consider:

1. Passwords should never be written down.
2. Master documents where all accounts and passwords are stored are not only a terrible idea, but it is also against Google’s AUP (among others) to do this. (See story below.)
3. If passwords are randomly generated, they must be stored in a secure way that a teacher can access to communicate the password to the student.
4. If they are a predictable pattern, it is easier for any student to guess another student’s password.
5. Passwords must be at least eight characters long to meet Google’s minimum requirement.
6. Passwords should not be stored as Clear Text in an attribute of your local directory, even if it is easier to access them.

I have a story from one of my customers who was early in adopting Google Apps for Education that informed my thoughts on this topic. This district was deploying new laptops for teachers. The Technology Department needed to log in as the teacher to backup documents, log in to the new laptop and transfer the files back to their new machine. To make this easier for all involved, they created a master Google Sheet with all usernames and passwords for the technicians. Within a few days, they were notified by Google that they were in violation of their AUP and that their document had been seized. They attempted to regain access to the file, but Google’s response was that it was not possible. Not only did this disrupt their workflow, but now Google had all their staff passwords and refused to give them back.

The best solution is a predictable pattern that includes some portion of personal information that only the student or their closest friends would know. One option for that would be:

Capital First Initial, Lower Last Initial, Two Digit Date of Birth Month, Two Digit Date of Birth Day, and Last Two of the StudentID. 

For a student named Joey Smith with a DOB of 05/22/2015 and a studentID of 12345, this would result in a password of Js052245.

Related content: Student Account Naming Standards

This recommendation is not perfect. For example, if the school’s daily announcements include students’ birthdays, a student with malicious intent could gather the password information needed to determine another student’s password.

There is also a substantial risk in storing the password in an attribute to make it easier to display for Technology staff or teachers. Many attributes can be synchronized to Google through profiles. That is convenient for staff, but unfortunately, this method makes it easy for any student to look up another student’s password. It is also very simple to download an LDAP browser application. Then, all that is required is any user’s credentials to connect to a domain controller. Once a connection is made, if all passwords are stored in an attribute, a person can export all of the accounts with passwords into a file for reference. I know of a school district that had this happen to them. It is not that difficult to figure out and makes for a very bad day for all staff, students and technology workers.

Unfortunately for now, passwords are still a part of not only our daily life but our fundamental learning platforms as well. Take care with how passwords are managed at your district to avoid any of the above issues. 

Read: Student Email: the Key to Single Sign-On (SSO) for Schools

Keeping a pristine student directory also contributes to overall security. Student Provisioning Services automates this process for districts of all sizes across the country. 

Would you like to automate provisioning for your district?