Slashdot Mirror
Ask Slashdot: How To Keep Students' Passwords Secure?
First time accepted submitter bigal123 writes My son's school is moving more and more online and is even assigning Chromebooks or iPads to students (depending on the grade). In some cases they may have books, but the books stay home and they have user names and passwords to the various text book sites. They also have user names/passwords to several other school resources. Most all the sites are 3rd party. So each child may have many user names (various formats) and passwords. They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids. However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation. Do others have good password management suggestions or suggestions for a single sign-on process (no/minimal cost) for kids in school accessing school provisioned resources?
They log on on one site, and use that login to log in to all other sites.
Set up a proxy system to access them. Use your dedicated password to access the proxy, then the device password can be in the open because it's behind a proxy.
Not idiot-proof, and if you can cross-access the devices it leaves holes in the solution unless you can segment the network they reside on.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
For children age 6 and up, and also for adults, the most important thing is to Keep It Simple.
Writing down passwords is actually a good thing for adults, as long as the passwords are written down in a secure place. A note in your wallet qualifies, as you know how to keep your wallet secure (right?). This is even more secure than a password safe on your smartphone: inputting a strong password is a pain (and easily observed), and witht it your sm artphone becomes a prime target for theft (if it isn't already).
For children of 6 years old and older (I'm assuming a US centric view here, triggered by the word 'elementary'), the situation is not that much different. The only problem is that children at this age usually do not have a wallet.
This is then the only problem to solve: creating a secure place to write down passwords.
However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation.
Bruce Schneier says:
"Microsoft's Jesper Johansson urged people to write down their passwords.
This is good advice, and I've been saying it for years.
Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."
https://www.schneier.com/blog/...
How To Keep Student's Passwords Secure?
How about we do away with passwords and have the kids get mandatory, government issued, RFID chips imbedded under their skin. Problem solved!
Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
Just make sure they understand to keep the notebook safe. Ideally, they would write them down in a diary or the like, that contains other private information, bit at least here only girls usually have these.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I think the question is completely wrong, it's not how they should remember their passwords. It's why do they have several usernames and passwords in the first place?
First the resources that are school controlled should of course be behind one username/password pair, preferably SSO for the web parts (e.g. a CAS variant is quite simple).
For external resources, is there a real reason they really need to log in? E.g. can IP based access control or something work for some cases. I understand you don't control everything, but as users(/customers) one can at least complain, and try to push it in the right direction. If there is a reson to log in, do they support something like Shibboleth/SAML or OpenID for login federation? If so, that should be used. It's not trivial, but making the lives of the students hard for something stupid like that is even worse
I think that for an elementary school student, if the amount of username/password pairs they need is over 1, there's something wrong somewhere.
Oh, and probably most important - parents should make sure they have a copy of the ID's passwords needed to access "third party" resources, to avoid the inevitable loss of notebooks.
THis, or just write them down in a notebook. Who cares about those passwords anyways? They are kids for christsake. Just give the teacher admin password to reset and change everything. They WILL steal eachothers passwords, they will share them, they will make up "funny" passwords if they get to choose. They are kids, let them be kids. Being impulsive, naive, and, well, juvenile, is integral part of being a kid. Also, they already remember all the important passwords, such as their facebook, online games etc.
If you don't want to use a password manager, create each password with a base word that is not written down, then add characters to each password that are written down. For instance, the base word could be "boxcar". Then, actual passwords might be boxcar357a, just write down the 357a. Or some variation of this approach.
Just don't forget that - whatever Steve Gibson has to say on the matter - it does rely on the competence and integrity of the LastPass crew.
If LastPass rework their website so that your password is sent to them (rather than the encrypted hash generated by JavaScript), they can do decryption locally on their side (rather than in JavaScript in your browser), then they can read your passwords.
If they get man-in-the-middled somehow - by a malicious employee, say - your passwords are no longer yours.
They could engineer their site to be subpoena-friendly. (Whether they have, I don't know.)
Also, if someone hits you on the head after you've signed in to LastPass, they have all your passwords.
I mean thats the obvious question ... if all an attacker can do is read some textbooks then I don't give crap about how secure the password is.
For that matter, assume the school always has full remote access to the hardware they issue to the students. Same reasoning. Don't log into personal accounts from those devices or do anything personal on them. Remember the case of the school that issued laptops to students only to spy on them with the webcams... hopefully nothing like that will happen to you, but at the same time it's prudent to keep anything the school has access to cleanly separated from your child's personal life.
https://www.gnu.org/philosophy...
Thank you, I've been posting this to every password-related Slashdot article for years and never managed to get modded up. My scheme is a slight variation, where the "357a" part is derived from the name of the web site or application you are logging into. Maybe you use the vowels in the web site name and their count: so the password for homework.com might produce "boxcaroeoo4." With this approach, instead of writing down "357a" or "oeoo" you write down "vowels + count" or "standard derivation" or something like that. The benefit is that if you use the same algorithm most of the time you don't have to write anything down.
I've been using this scheme (base word + something connected to what the service does, usually in leetspeak) for about 15 years now to help me remember passwords for obscure/rarely used accounts.
The most important insight is: use it ONLY for unimportant/throwaway stuff and PLEASE stop recommending it as a general method to people.
I have more than three dozen accounts and passwords. At some point one of those WILL be breached, probably without you ever being aware of it, and without any blame on your side. It happens even to the likes of Amazon. And then what? Anybody who takes more than 5 seconds to look at your password, or even a malicious system maintainer who grabs passwords at login, will be in a position where your passwords are just 3-4 token variations (and we're all are aware how quickly you can break 4 character passwords even by hand).
Sure, it's not very vulnerable to automation (unless somebody decides that enough people are using this and couples it to pattern matching with the service and identified base words as input, and a brute forcer), but once a human mind sets you as a target, your online world is SOL.
IMO the best password scheme is still 8+ tokens (letters like 'a', words like "house", numbers like 123) that have absolutely NO CONNECTION to the service that offers the account or to publicly available information about you.
A good pattern (among many others) is to draw from an unrelated memorable sentence at the time you are creating the account. For example if you joined Slashdot last month while listening to the news, you may have thought "Hopefully the Russian annexation of Crimea doesn't start a war" and take the first letter of every word: "HtRaoCdsaw".
Or for a shorter sentence ("Let's not have a war again") every second word: "notaagain", but note that these are only 3 tokens, i.e. as bad as a 3 character password, so you have to spice it up through punctuation and leetspeak, according to a personal scheme of yours. But the important part is that when someone discovers and understands your scheme by looking at a leaked password, they will still have no chance of cracking your other accounts because the base sentence is unrelated. And since you picked something memorable, the mnemonic hook will help you remember it for years.
You don't have to do it that way. It was a case and point on how you can easily remember a password but not your password
I made a javascript that does it locally (no sending my passwords cleartext over the internet).
If SSH to my home computer is compromised a password to Slashdot is the least I have to worry about. SSH is also protected with Google Authenticator so I have to have my phone with me to log in with 2-factor.
I use LastPass to remember my passwords but in a pinch, (not on a machine with LastPass, Last Pass goes out of business, etc) I can always regenerate my passwords.
If the new password must vary by at least five characters, they must be keeping a copy of the password, so you know they have crap security anyway. Use a base and append the month name or something (except that they're likely to have a character limit). Don't sweat the security too badly, because it's more likely to leak on their end. (Don't neglect it completely, though, because this is doubtless your bank password. The worst password restrictions I've seen were for banks and other financial institutions. 6-8 alphanumeric characters beginning with a letter, and they expect me to trust them?)
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes