A couple of news stories on school password security breaches recently surfaced, so I wanted to take a moment to remind you to take inventory of your school’s password policy. Both cases occurred in California, and both involved wholesale altering of students’ grades.
The hackers – themselves students who were charged with unauthorized alteration of a data base – might’ve viewed it as a prank, or even a money-making proposition. But regardless of the motivation, these and other crimes like it are preventable if you perform some due diligence when it comes to managing your school or district’s passwords.
The cases at Dixon High School and San Dimas High School are cautionary tales for anyone involved in password administration for any school or organization. In both cases, students simply used administrators’ passwords to get into the system.
Like leaving your car unlocked, front door open, or purse unattended at the supermarket, you could not only be exposing your schools to security breaches, but inviting them. Without a dependable school password policy in place, you might be getting off easy if the worst thing that happens is some kid hacking into the SIS to change the grades of hundreds of students.
We’re only human, after all
Who knows exactly how these admin’s passwords got out. Human factors are still the biggest security risk for any IT infrastructure. As the old saying goes, “A chain is only as strong as its weakest link.”
As an IT manager, it doesn’t really matter how complex you create an end user’s password because eventually they’ll choose their own. This is the proverbial chink in the armor of many school IT systems, and a potential security hole in your school’s IT system.
Depending upon your school IT infrastructure, you may have some different options available to you to create and automatically enforce policies for stronger management of user passwords. But even if you’re using Novell or Microsoft Active Directory with password policies integrated into your directory services, a strong password security policy can still be established as a matter of practice without the back-end enforcement by the server as part of the user account management.
Here are some important considerations for you when establishing a password policy for your school staff:
Make passwords complex, not simple
To increase the complexity of a password, encourage your users to follow these guidelines:
- Passwords should be at least six characters in length, preferably eight.
- Passwords should never contain the user name or any part of the user’s full name, such as his first name.
- Passwords should always use at least three of the four different character types: lowercase letters, uppercase letters, numbers, and symbols.
In the event you’re using some form of directory services, such as Microsoft Active Directory, you can set the security policy to enforce the length and complexity rules for end-user-created passwords.
Be sure to use a combination of upper case and lowercase letters, along with some numbers, and then adding punctuation such as !, @, #, etc. (e.g., QH+72_bn#5). If you're an administrator and are looking to head off potential password issues, take a look at this handy password guide for end users.
Passwords should have a maximum age
As a matter of policy, passwords should be changed often. Accounts with old passwords tend to be some of the highest risk. While requiring a password to be changed every 30 days may be onerous for users, it’s probably the most secure. Even 60 or 90 days is going to be more secure than 180 or annually (or never). Depending upon your directory services platform, you may be able to set the group policy to force the change based on the calendar date.
Never use names or dictionary words
Never is a strong word, I know. But here’s an absolute. One of the most common methods used by hackers to obtain access to an account is a brute force attack. This is where the hacker will run automated password hacking tools that try the account login and password over and over until it finds the combination. So never use your name, username, or dictionary words, for those are easy pickins for even the most amateur hacker.
These brute force attack scripts usually load a word list or password dictionary file as a starting point. They are available on the internet for hackers to download and use in their efforts. These password lists can even be in a foreign language, so don’t assume that using German for your password will make it any more difficult. By simply eliminating the use of common words, names, dates, or numbers, you eliminate the easiest way to crack an account.
Passwords with misspelled words aren’t any harder to crack
A lot of common hacking dictionaries also include common variations of misspelled words. Especially where numerals are substituted for letters (e.g. replacing the letter “S” with “$” or the letter “E” with “3”. This also includes just adding a numeral to the beginning or the end of a word.
Your next steps to password security
Weak passwords are one of the biggest risks in a security breach, so it’s very important to establish and enforce a strong password policy for your school. As administrators, it’s up to you to take the initiative and be certain you lock your doors, take your purse with you, and for god’s sake, close your front door.
For a deeper dive dive on establishing a password policy for your school district, check out this comprehensive web page that even includes a example password policy you can adapt.
Also, download our free Password Security Tips document to distribute to your school staff and administration. This sheet helps users of your IT system to create and use strong passwords that will ensure that you’re minimizing the risk of a security breach.
Michael is the founder and Chief Disruption Officer of Intellig8, a marketing technology consulting company. He is a lifelong student of business, financial models, marketing, communication, and behavioral science. He loves solving business problems, and helping techies and non-techies alike use technology to their advantage.