Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Keep Students' Passwords Secure?

Posted by samzenpus on from the one-password-to-rule-them-all dept.

First time accepted submitter bigal123 writes My son's school is moving more and more online and is even assigning Chromebooks or iPads to students (depending on the grade). In some cases they may have books, but the books stay home and they have user names and passwords to the various text book sites. They also have user names/passwords to several other school resources. Most all the sites are 3rd party. So each child may have many user names (various formats) and passwords. They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids. However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation. Do others have good password management suggestions or suggestions for a single sign-on process (no/minimal cost) for kids in school accessing school provisioned resources?

2 of 191 comments (clear)

  1. Why not write them down? by RDW · · Score: 3, Informative

    However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation.

    Bruce Schneier says:

    "Microsoft's Jesper Johansson urged people to write down their passwords.

    This is good advice, and I've been saying it for years.

    Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

    https://www.schneier.com/blog/...

  2. Re:password manager by Wootery · · Score: 3, Informative

    Just don't forget that - whatever Steve Gibson has to say on the matter - it does rely on the competence and integrity of the LastPass crew.

    If LastPass rework their website so that your password is sent to them (rather than the encrypted hash generated by JavaScript), they can do decryption locally on their side (rather than in JavaScript in your browser), then they can read your passwords.

    If they get man-in-the-middled somehow - by a malicious employee, say - your passwords are no longer yours.

    They could engineer their site to be subpoena-friendly. (Whether they have, I don't know.)

    Also, if someone hits you on the head after you've signed in to LastPass, they have all your passwords.