Slashdot Mirror

← Back to Stories (view on slashdot.org)

Generic Passwords Expose Student Data

Posted by ryuzaki0 on from the truly-a-learning-experience dept.

Makarand writes "The personal information of thousands of California children and their teachers was open to public view when the school districts issued a generic password to teachers using the system. Until the teacher used the system and changed the generic password to a unique password, anyone was able to type in a teacher's user name and generic password to gain access. Administrators shut down access to the service after a reporter phoned in to let them know that she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords." From the article: "'I'm fuming mad,' said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. 'My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling.'"

2 of 251 comments (clear)

  1. 1234 by yagu · · Score: 5, Interesting

    I used to work for a large company. This company, like all large companies, runs its business with myriad systems. For security, we had rules around managing passwords: how long they lasted; how they expired; etc. (At one point there was a 13 rule list that dictated criteria for passwords.)

    One Monday morning we came back to work to a massively failed system. I don't remember which one it was, and it wasn't a system that gave access to customer information, but it was one all employees used.

    The system was restored but the failure lost all passwords. All employees were instructed to log in with the default password and change it.

    The default password was (for 50,000 employees) "1234".

  2. The press is your friend. by xxxJonBoyxxx · · Score: 5, Interesting

    A couple years ago I heard through the grapevine that the local district's computers were wide open. Sure enough, I did a quick scan and found a couple ports. Within about five minutes I had a list of the names, ages and addresses of every student in the district.

    Rather than contact the (potentially defensive or hostile) district myself, I had a quick, informal chat with the editor of the local paper instead, knowing that he was a big education supporter and that he could deliver the "you have no security" message to the right people in a discrete manner. Sure enough, within a week the hole was closed.

    No credit, no publicity, but results. (My kids will be students there soon!)