Password Authentication for Schools

NB This page expresses a personal perspective, and no connection with any official office is intended or implied. It has been put together from a range of authoritative sources. Whilst every care has been taken to ensure its accuracy and validity, this cannot be guaranteed, and schools are advised to seek advice if unsure.

Introduction

Username and password combinations are a common means of authenticating users to provide access to systems. Whilst ubiquitous they are frequently difficult to administer, and a common factor in computer misuse.

With the right username and password combination it is possible to access sensitive personal data, steal identities, compromise security and invade privacy.

For these reasons it is essential to follow some clear rules. The difficulty lies in applying appropriate security according to the level of access the user profile allows. The user accounts of young children do not allow significant access to network functions and personal data, and are less likely to provide opportunities for misuse. Additionally, young children are unlikely to have sufficient knowledge to work round basic security. Contrast this with secondary age pupils, many of which are sophisticated and knowledgable. It is essential that an ethos of acceptable use is agreed, and that security is proportionate.

This requires a risk assessment approach, although some broad guidelines are offered below as the basis for discussion.

It is important to relate different requirements and security policies to different categories of user, and where possible relate this to content filtering and acceptable use. In practice this is difficult to administer, as children move through school phases.

School leaders and middle managers require greater access to sensitive personal data and information than teachers or teaching assistants. It is useful to consider operating differentiated access security and requirements and relating these to individual security profiles, policies and password strengths.

An example of differentiated levels of access

Level 1 - Early Years and KS1
Level 2 - KS2 Primary
Level 3 - KS3 Children
Level 4 - KS4/5 Young People
Level 5 - Teaching Assistants
Level 6 - Teachers
Level 7 - School leadership and Middle Management
Level 8 - School Administration
Level 9 - Technician
Level 10 - Unrestricted - Network Manager

Where a user has been granted unrestricted administrative access, care must be taken to ensure that procedures are in place to protect network security in the event of trust being compromised. This has occurred where school management changes, or where there are grievances.

Example of differentiated access and security

The example below offers an example of how access could be differentiated, and is intended to be illustrative rather than definitive.

Level	login	password	location	content	search	publishing
Level 1	open use without login	no password	in-school use only	maximum filtering restrictions	no access to public search engines	intranet / LP only
Level 2	Simple username	password set and changed by school	in-school use only	maximum filtering restrictions	supervised access to content restricted search engines	intranet/LP only
Level 3	Simple username	password set by user	home and school access	high content filtering	access to suitable search engines	moderated e-portfolio
Level 4	Simple username	forced password change	home and school access	moderate content filtering	access to range of public search engines	AUP e-portfolio and assessment
Level 5	Different format usernames	forced password change	in-school use only	unfiltered AUP	unrestricted search	AUP publishing, no access to MIS
Level 6	Different format usernames	forced password change	home and school access	unfiltered AUP	unrestricted search	AUP publishing, limited access to MIS
Level 7	Different format usernames	frequent forced complex password change	home and school access	unfiltered AUP	unrestricted search	AUP publishing, Full access to MIS
Level 8	Different format usernames	frequent forced complex password change	in-school access	unfiltered AUP	unrestricted search	Official publishing, MIS data controller
Level 9	Different format usernames	frequent forced complex password change	remote and in-school access	unfiltered AUP	unrestricted search	audit and technical access
Level 10	Different format usernames	frequent forced complex password change	unrestricted AUP	unfiltered AUP	unrestricted search	Unrestricted AUP

Password strength

Estimates indicate that 80% of network security problems are caused by bad passwords; therefore, good passwords are the simplest, and most important part of information security.

Passwords are not only used to access school computers and networks; they are now frequently used to personalise online experiences and to provide access to online services.

Usernames also need to be carefully formatted; the use of clearly defined names makes it easy to guess.

There are three factors that can be adjusted:

password complexity
Frequency of forced changes.
Automated storage of passwords (browser settings).

The move towards personalised learning and single sign-on authentication suggests that either password security needs to be better managed, or alternative methods of authentication such as biometric or smartcards need to be used.

Password Complexity

The complexity of passwords can be improved using some of the following methods. Care should be taken to avoid complexity when dealing with young children and to ensure that complexity is proportionate to the users level of access.

Use a password with mixed-case letters or use uppercase letters throughout the password.
Use the first letter of each word from a line in a book, song, or poem. For example: "Who ya gonna call? Ghost Busters!" would produce "Wygc?GB!”
Use the output from a random password generator. Select a random string that can be pronounced and is easy to remember. For example, the random string "adazac123" can be pronounced a-da-zac, and you can remember it by thinking of it as "A-to-Z,1 through 3." Add uppercase letters to create your own emphasis, e.g., aDAzac.2
Use two short words connected by punctuation, e.g., T1me#0ff
Use numbers and letters to create an imaginary vanity license plate password, e.g., 1H8work!
Use a password with mixed-case letters. Do not just capitalize the first letter, but add uppercase letters throughout the password.
Use at least six characters, eight characters for Windows NT.
Mix numbers and letters.

A common theme of these suggestions is that the password should be easy to remember! Avoid passwords that must be written down to be remembered. If unrecallable, someone may find the password you have written down, and compromise your network identity. Its surprisingly common to find network passwords written in school organisers.

Some definite don'ts!

DO NOT use your network login ID as your password in any form (reversed, capitalized).
DO NOT use any part of your name; first middle or last! Definitely do not use names of your children or pets.
If using web based services or portals, do not use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations. These can be attacked by software algorithms.
DO NOT use other information easily obtained about you. This includes pet names, car license plate numbers, telephone numbers, identification numbers, the make of your car, the name of the street you live on, and so on. Such passwords are very easily guessed by someone who knows the user.
DO NOT use dates e.g., September, SEPT1999 or any combination thereof.
DO change passwords regularly. The more critical an account to network integrity (such as root on a Unix host or Administrator on Windows NT), the more frequently the password should be changed. This change stops someone who has already compromised an account from continued access.
DO NOT use keyboard sequences, e.g., qwerty.
Do NOT use the original password given out when your account was set up.
DO NOT use any of the above things spelled backwards, or in caps, or otherwise disguised.
DO NOT write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others.
DO NOT let anyone use your account, and don't use that of others
DO NOT reveal your password to anyone.

These guidelines and suggestions should enable you to choose strong passwords that will help you improve the security of your system.

Frequency of forced changes.

Low level users need not change their passwords as frequently as high level users. The reasons are self-explanatory. Most networks offer user management features that allow network managers to set password change rules. As a guide: