Password managers are software applications that store and enter passwords for you. They combine high security with convenience.
Password security for schools is a challenging issue. There needs to be a suitable balance between:
Poor password practices are a common cause of information being accessed by the wrong people enabling possible harm to individuals or the school as a whole. This is why password management requires careful consideration.
A password manager takes the effort out of remembering unique, secure passwords. It creates a suitable password, stores it, and enters it for you as required.
It is recommended, all school staff use a password manager
It is highly recommended that all school staff use a password manager. School staff manage passwords that access sensitive data about their students and school communities. These include passwords to the Student Management System (SMS), school email, shared files and school intranet. As most teachers use the same laptop for school and home, the line between what is private and what is work can be blurred. School passwords might be reused for private purposes and vice versa. If someone on the internet used your login, could they access any school systems using the same email and password?
Password security and passphrases are explained in this short interview.
A brute force attack is where huge numbers of passwords are tried in rapid succession hoping one of them will succeed. As computers have increased in power, they have become faster at brute force cracking passwords. Modern computers can be set up to test thousands of passwords per second.
A secure password is long and random
The only way to beat brute force attacks is to use a long, random password. A password like “vI6pDM*gLg#!kxPOrV” would take a computer several hundred years to guess via the brute force method, but it's very hard for people to remember. The password manager takes the effort out of remembering unique, secure passwords. Your password manager creates a suitable password, stores it, and enters it for you as required.
Vast databases of leaked passwords are available online, and have been analysed to determine how people choose passwords. That's why the only secure password is a long and random one. However, second best to a long and random password is a long yet simple password.
Two factor authentication requires a combination of two factors to enable authentication: something a person knows (usually a password) and something a person has (a fingerprint, app on their phone or special code sent by text message or printed and securely stored).
It uses heuristics (time since last login, location, device, and browser) to decide if a login attempt is suspicious.
Enabling two factor authentication for staff will significantly increase the security of their use of G Suite or Office 365. Two factor authentication has very little to no impact on usability. We recommend that it is enforced for staff, but is voluntary for students because staff are likely to own a cellphone while students may not. We suggest that if possible it is introduced to staff in a planned, gradual, managed, supportive way rather than suddenly switched on!
There are a number of options. Your choice depends on the features you need and the different devices you use.
To help with your decision, start by looking at:
Many password managers are free or have a demo mode to allow you to try them out. You will need to install the software on each device you wish to use it on.
In combination with cloud storage and their own browsers, Keychain and Credentials manager offer to create and store secure passwords when they detect you are creating a login. Passwords are stored securely in the cloud and are available on their respective phones and tablets too. This system works well for your Apple or Microsoft equipment and software.
In the case of built-in password managers such as Keychain, the computer user’s login password unlocks them. These login passwords should also conform to the long and complicated ideal.
Modern web browsers have a function that is superficially similar to a password manager. There are issues with relying on your browser for this:
Create a long, complicated password to lock your password manager. It needs to be long and complicated because you only need this one single password to unlock everything else.
If your password:
To create a memorable password that would resist a brute force and dictionary attacks, combine a string of three or four uncommon, unrelated words, for example "doorbell conclude kudos boxing". With a little creativity, you can generate a mental picture to help you remember it. Leave the spaces between the words as it makes it easier to remember and to type.
Complexity comes from choosing unusual words, rather than using capital letters, punctuation and numbers. You can still put a capital letter, number, or symbol in to increase the complexity. Choose one randomly and put it somewhere random – “doorbell conc=lude kudos boxing”.
Loading your existing passwords into your new password manager can be a bit of a chore, as you have to create a new record for each site. A strong recommendation is to change your passwords on each site as you do this into ones generated by the password manager. It’s a one-time process and worth going through the pain.
Once set up, every time you sign up at a new site the password manager will offer to create a secure login for you. The required effort at this point is minimal.
Each password manager works slightly differently, but they all have the same basic functions. As you visit a site:
They are generally very good at detecting which fields need to be filled in.
You set how aggressively your password manager locks itself again. Allowing it to remain unlocked until you quit your browser or are inactive for a set time should be safe enough.
Password managers are very effective at protecting you from an attack from the internet by making it easy to use long, unique passwords. There are some things they don’t protect you from.
The password manager is only effective if you set all your passwords to secure ones. A password manager will store and supply an insecure password you have created for a site, but this won’t lead to better security. Many password managers will flag passwords that are too short, or simple to guess.
Schools are unusual from a security standpoint because of the danger of people physically seeing you enter your password. Students have time and opportunity to steal staff passwords, and have done so. Techniques such as groups of students watching you type and remembering a few characters each, or using keyloggers, have been used in New Zealand to gain unauthorised access to school systems. Some schools even have simple password allocation schemes, meaning once you know one password, you can guess that of any user who hasn’t changed theirs.
Biometric systems such as fingerprint scanners are common on phones, tablets, and laptops. You may be able to set up your fingerprint to work in place of the master password for your password manager, so you can unlock it without having to type.
Good practice includes:
Passwords can be stored on Key Chain on a Mac and some web browsers save passwords. These are only as secure as the password that is required to access them so this password must be very secure (for example, long and unique).
XKCD Password strength
The comic strip that started a lot of conversations about secure passwords.
Have I been pwned?
Check if you have an account that has been compromised in a data breach.
In this video, ABC consumer affairs show a 7minute segment on password managers.
How to choose a password
In this 11 minute video, Dr Mike Pound, University of Nottingham explains how to create a strong password.
Keeping your school network safe
CERT NZ’s guide to keeping your school network safe
Two Factor Authentication
Netsafe’s blog post explains what two factor authentication is, why you need it, and provides links to how to set it up for a range of applications.
Password complexity rules more annoying, less effective than lengthy ones
A blog post discussing password complexity.
How secure is my password?
Test how secure your passwords are using this tool.
Password security – Why secure passwords need length over complexity
This blog post compares password types and explains why long passwords are preferable to complex passwords .