Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Keep Students' Passwords Secure?

Posted by samzenpus on from the one-password-to-rule-them-all dept.

First time accepted submitter bigal123 writes My son's school is moving more and more online and is even assigning Chromebooks or iPads to students (depending on the grade). In some cases they may have books, but the books stay home and they have user names and passwords to the various text book sites. They also have user names/passwords to several other school resources. Most all the sites are 3rd party. So each child may have many user names (various formats) and passwords. They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids. However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation. Do others have good password management suggestions or suggestions for a single sign-on process (no/minimal cost) for kids in school accessing school provisioned resources?

10 of 191 comments (clear)

  1. Keep It Simple by Okind · · Score: 3, Insightful

    For children age 6 and up, and also for adults, the most important thing is to Keep It Simple.

    Writing down passwords is actually a good thing for adults, as long as the passwords are written down in a secure place. A note in your wallet qualifies, as you know how to keep your wallet secure (right?). This is even more secure than a password safe on your smartphone: inputting a strong password is a pain (and easily observed), and witht it your sm artphone becomes a prime target for theft (if it isn't already).

    For children of 6 years old and older (I'm assuming a US centric view here, triggered by the word 'elementary'), the situation is not that much different. The only problem is that children at this age usually do not have a wallet.

    This is then the only problem to solve: creating a secure place to write down passwords.

  2. Why not write them down? by RDW · · Score: 3, Informative

    However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation.

    Bruce Schneier says:

    "Microsoft's Jesper Johansson urged people to write down their passwords.

    This is good advice, and I've been saying it for years.

    Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

    https://www.schneier.com/blog/...

  3. RFID chips by LookIntoTheFuture · · Score: 3, Funny

    How To Keep Student's Passwords Secure?

    How about we do away with passwords and have the kids get mandatory, government issued, RFID chips imbedded under their skin. Problem solved!

    --
    Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
  4. OpenID by Anonymous Coward · · Score: 3, Insightful

    THis, or just write them down in a notebook. Who cares about those passwords anyways? They are kids for christsake. Just give the teacher admin password to reset and change everything. They WILL steal eachothers passwords, they will share them, they will make up "funny" passwords if they get to choose. They are kids, let them be kids. Being impulsive, naive, and, well, juvenile, is integral part of being a kid. Also, they already remember all the important passwords, such as their facebook, online games etc.

  5. Re:password manager by Mr+D+from+63 · · Score: 5, Interesting

    If you don't want to use a password manager, create each password with a base word that is not written down, then add characters to each password that are written down. For instance, the base word could be "boxcar". Then, actual passwords might be boxcar357a, just write down the 357a. Or some variation of this approach.

  6. Re:OpenID by Cenan · · Score: 4, Insightful

    I tend to agree with this. Don't take away all the risks from these kids, they need to learn about the consequences of insecure passwords sometime. So their home page shows up in all pink, or all their notes have been translated to Ancient Egyptian - better now than when the stakes are higher. And they'll learn the lesson much better from personal experience.

    --
    ... whatever ...
  7. Re:password manager by Wootery · · Score: 3, Informative

    Just don't forget that - whatever Steve Gibson has to say on the matter - it does rely on the competence and integrity of the LastPass crew.

    If LastPass rework their website so that your password is sent to them (rather than the encrypted hash generated by JavaScript), they can do decryption locally on their side (rather than in JavaScript in your browser), then they can read your passwords.

    If they get man-in-the-middled somehow - by a malicious employee, say - your passwords are no longer yours.

    They could engineer their site to be subpoena-friendly. (Whether they have, I don't know.)

    Also, if someone hits you on the head after you've signed in to LastPass, they have all your passwords.

  8. What are you afraid of? by YoungManKlaus · · Score: 4, Insightful

    I mean thats the obvious question ... if all an attacker can do is read some textbooks then I don't give crap about how secure the password is.

    1. Re:What are you afraid of? by FhnuZoag · · Score: 5, Insightful

      I think you are totally right here. The phrasing of this question as being about 'security' is actually totally off base. From the student's perspective, there is no advantage to security. Only the textbook publishers actually benefit from security - they don't want people who haven't paid for the textbooks to read them.

      For the student, what he or she actually cares about is being able to easily access he or her school stuff. The worst case scenario is not someone stealing his or her password, it's not being able to recall his or her password and thus being unable to participate in class. Lastpass etc is overthinking it. Just set the password to something simple and easy to remember, and write it down just in case they forget.

  9. Re:password manager by MobyDisk · · Score: 4, Interesting

    Thank you, I've been posting this to every password-related Slashdot article for years and never managed to get modded up. My scheme is a slight variation, where the "357a" part is derived from the name of the web site or application you are logging into. Maybe you use the vowels in the web site name and their count: so the password for homework.com might produce "boxcaroeoo4." With this approach, instead of writing down "357a" or "oeoo" you write down "vowels + count" or "standard derivation" or something like that. The benefit is that if you use the same algorithm most of the time you don't have to write anything down.