Password managers are software applications that store and enter passwords for you. They combine high security with convenience.
A password manager takes the effort out of remembering unique, secure passwords. It creates a suitable password, stores it, and enters it for you as required.
It is recommended, all school staff use a password manager
It is highly recommended that all school staff use a password manager. School staff manage passwords that access sensitive data about their students and school communities. These include passwords to the Student Management System (SMS), school email, shared files and school intranet. As most teachers use the same laptop for school and home, the line between what is private and what is work can be blurred. School passwords might be reused for private purposes and vice versa. If someone on the internet used your login, could they access any school systems using the same email and password?
Edward Snowden explains password security in this short interview. He suggests using long passwords which are a random phrase to overcome brute force attacks.
A brute force attack is where huge numbers of passwords are tried in rapid succession hoping one of them will succeed. As computers have increased in power, they have become faster at brute force cracking passwords. Modern computers can be set up to test thousands of passwords per second.
A secure password is long and random
The only way to beat brute force attacks is to use a long, random password. A password like “vI6pDM*gLg#!kxPOrV” would take a computer several hundred years to guess via the brute force method, but it's very hard for people to remember. The password manager takes the effort out of remembering unique, secure passwords. Your password manager creates a suitable password, stores it, and enters it for you as required.
Vast databases of leaked passwords are available online, and have been analysed to determine how people choose passwords. That's why the only secure password is a long and random one.
There are a number of options. Your choice depends on the features you need and the different devices you use.
To help with your decision, start by looking at:
Many password managers are free or have a demo mode to allow you to try them out. You will need to install the software on each device you wish to use it on.
In combination with cloud storage and their own browsers, Keychain and Credentials manager offer to create and store secure passwords when they detect you are creating a login. Passwords are stored securely in the cloud and are available on their respective phones and tablets too. This system works well for your Apple or Microsoft equipment and software.
In the case of built-in password managers such as Keychain, the computer user’s login password unlocks them. These login passwords should also conform to the long and complicated ideal.
Modern web browsers have a function that is superficially similar to a password manager. There are issues with relying on your browser for this:
Create a long, complicated password to lock your password manager. It needs to be long and complicated because you only need this one single password to unlock everything else.
To create a memorable password that would resist a brute force attack, combine a string of four or five uncommon, unrelated words, for example "doorbell conclude kudos boxing". With a little creativity, you can generate a mental picture to help you remember it. Leave the spaces between the words as it makes it easier to remember and to type.
If your password:
Loading your existing passwords into your new password manager can be a bit of a chore, as you have to create a new record for each site. A strong recommendation is to change your passwords on each site as you do this into ones generated by the password manager. It’s a one-time process and worth going through the pain.
Once set up, every time you sign up at a new site the password manager will offer to create a secure login for you. The required effort at this point is minimal.
Each password manager works slightly differently, but they all have the same basic functions. As you visit a site:
They are generally very good at detecting which fields need to be filled in.
You set how aggressively your password manager locks itself again. Allowing it to remain unlocked until you quit your browser or are inactive for a set time should be safe enough.
Password managers are very effective at protecting you from an attack from the internet by making it easy to use long, unique passwords. There are some things they don’t protect you from.
The password manager is only going to be effective if you make the effort to set all your passwords to secure ones. A password manager will store and supply an insecure password you have created for a site, but this won’t lead to better security. Many password managers will flag passwords that are too short, or simple to guess.
Schools are unusual from a security standpoint because of the danger of people physically seeing you enter your password. Students have time and opportunity to steal staff passwords, and have done so. Techniques such as groups of students watching you type and remembering a few characters each, or using keyloggers, have been used in New Zealand to gain unauthorised access to school systems. Some schools even have simple password allocation schemes, meaning once you know one password, you can guess that of any user who hasn’t changed theirs.
Biometric systems such as fingerprint scanners are common on phones, tablets, and laptops. You may be able to set up your fingerprint to work in place of the master password for your password manager, so you can unlock it without having to type.
Recommendations for managing passwords – Connected Learning Advisory resources
XKCD password strength – the comic strip that started a lot of conversations about secure passwords
Have I been pwned? – see if your passwords have been compromised
Passwords (7:40) – ABC consumer affairs show segment on password managers
How to choose a password (11:32) – Dr Mike Pound, University of Nottingham
Join these groups to participate in discussions with other teachers/educators about the content here, or that is relevant for you.
Subscribe to the newsletter.
Note: You can manage your email subscriptions using the links provided in the email footer.