Password security for schools is a challenging issue. This is because there is a need for a suitable balance between security – protection of information – and usability, or ready access to this information. Poor password practices are a common cause of information being accessed by the wrong people enabling possible harm to individuals. This is why password management requires careful consideration.
We recommend that your strategy for password security should be centred around both highly secure and user-friendly practices. This will increase security with little impact on staff.
We recommend that you use the following – in order of priority:
Each of these four strategies are outlined below.
We recommend that you avoid the following:
Paradoxically, forcing users to change passwords too frequently or have extremely complex passwords can backfire and lead to problems such as writing the password down. The goal is to find the right balance for the different circumstances in your school.
There is a wide range of information, data, and services in both local and online locations that schools need to protect using a password.
A first step to determining a password strategy for a particular situation is to assess how sensitive the data is and what the consequence would be if unauthorised access were to take place. For example, the more sensitive the information, for example, personal details about students – including health and behavioural information – the more deliberate the approach should be to security. The safety and security of your students and staff must be paramount considerations.
The suitability of any password security practice should be evaluated against three criteria:
Security practices that are both highly secure and readily useable should be encouraged, especially if the impact of a possible information loss (security breach) is also high. If the impact of a possible security breach is low then the level of security can be similarly low.
If the impact of a possible security breach is high and the level of security is low then you have an imbalance and a major concern!
Overall, if we assume that increasing the level of security involves decreasing usability, then the security measures used should be proportional to the impact of a security breach.
For example, the data held in an online platform for creating presentations is likely to be far less sensitive than the data held in your SMS, so greater importance should be placed on ensuring the security practices for your SMS. Similarly, measures to secure access to G Suite or Office 365 should be high. This is because these allow staff to not only send school email, but to access previous emails and shared documents, which may contain confidential information.
High security and high usability can be enforced by using two factor authentication as outlined below for many online services. A Student Management System also needs strong security. If two factor authentication is unavailable, long, unique passwords should be enforced.
Research shows that longer passwords are more secure and more usable than shorter, more complex passwords that may have to be changed frequently and are therefore quite possibly written down and stored.
We recommend using phrases to create a memorable long password. For staff, the xkcd password generator is a good place to start. This generates a phrase of unrelated but natural language words that will produce a strong password. Some indication of how strong a password is can be obtained by using the how secure is my password website. For students it is likely that a phrase of related words will need to be used. This should be chosen in relation to their age and context. For example, young students might use their favourite colour, animal, and book.
You will notice that we recommend long passwords, but not necessarily complex ones. This is because a simple, yet long password is much harder to crack than a complex, but short password.
Two factor authentication requires a combination of two factors to enable authentication: something a person knows (usually a password) and something a person has (a fingerprint, app on their phone or special code sent by text message or printed and securely stored).
It uses heuristics (time since last login, location, device, and browser) to decide if a login attempt is suspicious.
Enabling two factor authentication for staff will significantly increase the security of their use of GSFE or Office 365. Two factor authentication has very little to no impact on usability. We recommend that it is enforced for staff, but is voluntary for students because staff are likely to own a cellphone while students may not. We suggest that if possible it is introduced to staff in a planned, gradual, managed, supportive way rather than suddenly switched on!
Many online services allow users to create and sign into their service using Google, Facebook, or other services as a provider of identity. This should be encouraged for the following reasons:
It is important to remember that the site that requests your Google or Facebook login never has access to your Google or Facebook password. Google or Facebook simply assert that you are a known user and pass a token to the requesting site confirming this.
There are many ways in which Single Sign On solutions can be provided. Your technical support provider may offer a Single Sign On solution.
Password managers are software programs that manage passwords, generally for online services. For the user this means that they have to remember just one very strong password to "unlock" a range of passwords for different services. The database of passwords held by the password manager is encrypted and can be shared easily between devices. Password managers are an easy way to ensure that passwords are both strong and different, while the user only has to remember one "master" password. Password managers combine high security with high convenience and we advocate strongly that they are used by staff.
A strategy for introducing a password manager to staff would be to get some early adopter/enthusiastic staff members to trial this and then run PD sessions for others. Password managers will need to be evaluated carefully if you wish students to use them as students often use multiple computers and this can be a complicating factor. Both online and offline password managers are available. Password managers should be encouraged on student owned devices.
Good practice around passwords also includes:
Other ways in which passwords might be stored include Key Chain on the Mac and web browsers that save passwords. In any case, these are only as secure as the password that is required to access them so this password must be very secure (for example, long and unique).
The website have i been pwned allows you to enter your email address or username to find out if it has been compromised, for example, has the password published on the internet as a result of one of the various data leaks that have occurred? Typically the compromised credentials are "sold" to criminal groups, rather than openly published. This means that your accounts could be used by people other than yourself, exposing your data and account to unauthorised use. If your credentials have been compromised, you should urgently change the password for any services that use it. If you have further concerns about compromised accounts then you can discuss this with Netsafe .
|Method of compromise||Strategies|
|People telling others their passwords||Encourage a culture of security where passwords are never shared with or disclosed to others|
|Systems generating “easy to guess” passwords||Try to use systems that generate random passwords|
|Passwords that are written down either by the user themselves or by an administrator||Consider whether passwords that are written down could end up in the hands of people that you don’t want them to|
|People generating an easy to guess password for others to use|| |
Avoid giving all users or groups of users the same initial password
Always force a password change at first log-in
|People choosing easy to guess passwords themselves||Good password creation and management practices|
|Phishing attacks where spoof websites are used to collect people's credentials|| |
Raising awareness of cyber security and the concept of phishing:
|People send passwords by email or other insecure means|| |
Nobody ever needs to know your password – including your technician!
Once a password is written in an email, it can be retrieved later so this should be avoided
|Insecure technical practices (for example, allowing snooping on plain text, wifi traffic, or websites that do not use https to keep traffic secure)||Raising awareness of cyber security|
|People deliberately stealing credentials by looking over your shoulder, using keylogger software, a hidden camera, or similar|| |
Use two factor authentication for high-risk credentials
Covering privacy as part of your Digital Citizenship programme
|Brute Force (for example, remote) attacks||Long passwords|
|Hacks/exploits using Malware||Use a malware and virus checker|
Join these groups to participate in discussions with other teachers/educators about the content here, or that is relevant for you.
Subscribe to the newsletter.
Note: You can manage your email subscriptions using the links provided in the email footer.