Password Authentication for Schools
NB This page expresses a personal perspective, and no connection with any official office is intended or implied. It has been put together from a range of authoritative sources. Whilst every care has been taken to ensure its accuracy and validity, this cannot be guaranteed, and schools are advised to seek advice if unsure.
Introduction
Username and password combinations are a common means of authenticating users to provide access to systems. Whilst ubiquitous they are frequently difficult to administer, and a common factor in computer misuse.
With the right username and password combination it is possible to access sensitive personal data, steal identities, compromise security and invade privacy.
For these reasons it is essential to follow some clear rules. The difficulty lies in applying appropriate security according to the level of access the user profile allows. The user accounts of young children do not allow significant access to network functions and personal data, and are less likely to provide opportunities for misuse. Additionally, young children are unlikely to have sufficient knowledge to work round basic security. Contrast this with secondary age pupils, many of which are sophisticated and knowledgable. It is essential that an ethos of acceptable use is agreed, and that security is proportionate.
This requires a risk assessment approach, although some broad guidelines are offered below as the basis for discussion.
It is important to relate different requirements and security policies to different categories of user, and where possible relate this to content filtering and acceptable use. In practice this is difficult to administer, as children move through school phases.
School leaders and middle managers require greater access to sensitive personal data and information than teachers or teaching assistants. It is useful to consider operating differentiated access security and requirements and relating these to individual security profiles, policies and password strengths.
An example of differentiated levels of access
- Level 1 - Early Years and KS1
- Level 2 - KS2 Primary
- Level 3 - KS3 Children
- Level 4 - KS4/5 Young People
- Level 5 - Teaching Assistants
- Level 6 - Teachers
- Level 7 - School leadership and Middle Management
- Level 8 - School Administration
- Level 9 - Technician
- Level 10 - Unrestricted - Network Manager
Where a user has been granted unrestricted administrative access, care must be taken to ensure that procedures are in place to protect network security in the event of trust being compromised. This has occurred where school management changes, or where there are grievances.
Example of differentiated access and security
The example below offers an example of how access could be differentiated, and is intended to be illustrative rather than definitive.
| Level | login | password | location | content | search | publishing |
| Level 1 | open use without login | no password | in-school use only | maximum filtering restrictions | no access to public search engines | intranet / LP only |
| Level 2 | Simple username | password set and changed by school | in-school use only | maximum filtering restrictions | supervised access to content restricted search engines | intranet/LP only |
| Level 3 | Simple username | password set by user | home and school access | high content filtering | access to suitable search engines | moderated e-portfolio |
| Level 4 | Simple username | forced password change | home and school access | moderate content filtering | access to range of public search engines | AUP e-portfolio and assessment |
| Level 5 | Different format usernames | forced password change | in-school use only | unfiltered AUP | unrestricted search | AUP publishing, no access to MIS |
| Level 6 | Different format usernames | forced password change | home and school access | unfiltered AUP | unrestricted search | AUP publishing, limited access to MIS |
| Level 7 | Different format usernames | frequent forced complex password change | home and school access | unfiltered AUP | unrestricted search | AUP publishing, Full access to MIS |
| Level 8 | Different format usernames | frequent forced complex password change | in-school access | unfiltered AUP | unrestricted search | Official publishing, MIS data controller |
| Level 9 | Different format usernames | frequent forced complex password change | remote and in-school access | unfiltered AUP | unrestricted search | audit and technical access |
| Level 10 | Different format usernames | frequent forced complex password change | unrestricted AUP | unfiltered AUP | unrestricted search | Unrestricted AUP |
Password strength
Estimates indicate that 80% of network security problems are caused by bad passwords; therefore, good passwords are the simplest, and most important part of information security.
Passwords are not only used to access school computers and networks; they are now frequently used to personalise online experiences and to provide access to online services.
Usernames also need to be carefully formatted; the use of clearly defined names makes it easy to guess.
There are three factors that can be adjusted:
- password complexity
- Frequency of forced changes.
- Automated storage of passwords (browser settings).
The move towards personalised learning and single sign-on authentication suggests that either password security needs to be better managed, or alternative methods of authentication such as biometric or smartcards need to be used.
Password Complexity
The complexity of passwords can be improved using some of the following methods. Care should be taken to avoid complexity when dealing with young children and to ensure that complexity is proportionate to the users level of access.
- Use a password with mixed-case letters or use uppercase letters throughout the password.
- Use the first letter of each word from a line in a book, song, or poem. For example: "Who ya gonna call? Ghost Busters!" would produce "Wygc?GB!”
- Use the output from a random password generator. Select a random string that can be pronounced and is easy to remember. For example, the random string "adazac123" can be pronounced a-da-zac, and you can remember it by thinking of it as "A-to-Z,1 through 3." Add uppercase letters to create your own emphasis, e.g., aDAzac.2
- Use two short words connected by punctuation, e.g., T1me#0ff
- Use numbers and letters to create an imaginary vanity license plate password, e.g., 1H8work!
- Use a password with mixed-case letters. Do not just capitalize the first letter, but add uppercase letters throughout the password.
- Use at least six characters, eight characters for Windows NT.
- Mix numbers and letters.
A common theme of these suggestions is that the password should be easy to remember! Avoid passwords that must be written down to be remembered. If unrecallable, someone may find the password you have written down, and compromise your network identity. Its surprisingly common to find network passwords written in school organisers.
Some definite don'ts!
- DO NOT use your network login ID as your password in any form (reversed, capitalized).
- DO NOT use any part of your name; first middle or last! Definitely do not use names of your children or pets.
- If using web based services or portals, do not use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations. These can be attacked by software algorithms.
- DO NOT use other information easily obtained about you. This includes pet names, car license plate numbers, telephone numbers, identification numbers, the make of your car, the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user.
- DO NOT use dates e.g., September, SEPT1999 or any combination thereof.
- DO change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows NT), the more frequently the password should be changed. This change stops someone who has already compromised an account from continued access.
- DO NOT use keyboard sequences, e.g., qwerty.
- Do NOT use the original password given out when your account was set up.
- DO NOT use any of the above things spelled backwards, or in caps, or otherwise disguised.
- DO NOT write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others.
- DO NOT let anyone use your account, and don't use that of others
- DO NOT reveal your password to anyone.
These guidelines and suggestions should enable you to choose strong passwords that will help you improve the security of your system.
Frequency of forced changes.
Low level users need not change their passwords as frequently as high level users. The reasons are self-explanatory. Most networks offer user management features that allow network managers to set password change rules. As a guide:
- Level 2-3 - change annually.
- Level 4-9 - change termly.
- Level 10 - change monthly
Policies for each level of access
general guidance
general guidance from university
Comments (0)
You don't have permission to comment on this page.