Friday
Sep152017
Whip me, beat me, make me change my password
Friday, September 15, 2017 at 06:18AM 
It's a little embarrassing, but it's taken three years to change our system to allow our students to change their own passwords. Until this fall, students used their student ID numbers as their passwords - number strings that were all too discoverable by fellow students and others.
We will be undertaking a proactive educational program for all kids this fall teaching them both the how and why of good password security. We will reach, I believe, the vast majority of kids with this training, investing in them not just a skill, but an understanding of why that skill is important. At least until biometric access becomes the norm.
The question I have been struggling with is if we should also enforce a mandatory password change. Many security gurus in the business world recommend forced, regular password changes by all employees/application users with long strings of required password "strengths" including not being able to reuse a password. I use a number of applications that require this. Joy, joy.
My biggest concern of the forced password change is that dilutes the personal responsibility we are trying to invest in our kids. "Real world ready" graduates, I believe, would see all forms of digital safety and responsibility as something that cannot be left to others to manage. It is your job to lock the door of your house, not that of a security officer or neighborhood watch.
Is my idealism putting student privacy at risk? What is your district's policy?
We will be undertaking a proactive educational program for all kids this fall teaching them both the how and why of good password security. We will reach, I believe, the vast majority of kids with this training, investing in them not just a skill, but an understanding of why that skill is important. At least until biometric access becomes the norm.
The question I have been struggling with is if we should also enforce a mandatory password change. Many security gurus in the business world recommend forced, regular password changes by all employees/application users with long strings of required password "strengths" including not being able to reuse a password. I use a number of applications that require this. Joy, joy.
My biggest concern of the forced password change is that dilutes the personal responsibility we are trying to invest in our kids. "Real world ready" graduates, I believe, would see all forms of digital safety and responsibility as something that cannot be left to others to manage. It is your job to lock the door of your house, not that of a security officer or neighborhood watch.
Is my idealism putting student privacy at risk? What is your district's policy?
See also: Strong passwords, weak security
Reader Comments (4)
The advice in recent year's from some in the cyber security field has flipped in regards to frequent forced password changes. The reasons seem counter-intuitive but are explained at this link - https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
Hi Tim,
Can't tell you how much I appreciate this link! Been saying this stuff for years that a complex password on a blotter is worse than a simple one in memory.
Thanks again,
Doug
The school division I work in instituted mandatory password changes for all students and staff last year and I can honestly say it's been a disaster. The frustration level for both groups as they frequently get locked out of using the division's network because they can't remember their passwords just isn't worth it. We have been keeping stats in the library at my high school where students come to reset their passwords if they have forgotten them or if they've been locked out of the system because they've failed too many times (don't get me started about the hoops our staff have to jump through if they've forgotten their passwords). We average at least 30 of these resets a day in a school that has 1250 students. Never mind the time wasted by the library staff having to make these changes, think of the amount of time students are missing from class every time they have to come to the library to get their password reset. The parameters for the passwords are so complex that they are simply too difficult to remember. So now students and staff have resorted to writing down their passwords and leaving them in places that others can find them. I know it's not right but I've been having students put their passwords into their devices in the notes section as long as they have a password code to access their device. If we're having these difficulties in high school, can you imagine the problems in elementary schools? Teachers make lists of the passwords every time they change which is another paper trail. Changing passwords has not made our systems more secure, that's for sure.
Hi Jo-Anne,
Your experience is similar to mine in the past when forced password changes happened. I believe the security gurus are now expressing doubt over the wisdom of this citing the same reasons you do. I really appreciate you sharing this with me!
Doug