Learn best practices for password creation, protection in schools

With security breaches on the rise and staff professional development lacking in many school districts, cybersecurity concerns are at an all-time high, according to two experts who spoke at the 2018 Consortium for School Networking conference in Washington.

One of the most egregious offenses to date against schools occurred in the Johnston Community School District in Iowa, where a cyber-terrorist group called the Dark Overlord stole students’ personal information and released it on the dark web to make them easy targets for child predators, explained Ryan Cloutier, principal security architect at the Technology and Information Educational Services.

Most security breaches that occur in schools are because of human error, he said.

For instance, a staff member clicks a suspicious link in an email allowing hackers to collect username and password information, or a person erroneously sends staff or student information to a hacker who is posing as a school administrator or the district’s human resources office.

For this reason, Cloutier recommended using a password manager, which is a service that saves passwords for different sites in a secure location.

Rather than logging into a site every time, the password manager can bypass that step and thereby make school sites and databases less vulnerable to attacks, he noted.

When selecting a password manager for the district, look for those that offer two-factor authentication, which is an extra layer of protection that requires a person to verify that he is attempting to log in before allowing access to a site.

Password security

Nathan Mielke, director of technology services for the Hartford Union High School District in Wisconsin, said local educational agencies should teach students and teachers good password habits to combat cybersecurity threats.

Mielke said schools should encourage students and teachers to be “their own password manager” in the sense that they should create “long passwords that are easy to remember.”

“In the last year, I’ve been trying to break the fallacy that you need to have 8 million different characters and the [alphanumeric] password shouldn’t make any sense to you,” Mielke said.

“I don’t think that’s a good way to teach our students how to manage their own passwords,” he told attendees. “I’m big on something long and simple that makes sense to me — something that’s not going to be easily hacked by a dictionary attack, [when a] hacker’s systems load a text file that literally has thousands of potential passwords that are commonly used, and they use a tool … to try every possible combination with a username.”

He offered the following example:

“I worked with a home economics teacher who had the password ‘ABC,'” Mielke said. “A dictionary attack could be launched, and it would likely break into that account in seconds.”

A ‘good’ password

“We have to teach our staff and our students what a good password looks like and why a good password looks like that,” Mielke said.

He said a more secure password does not need to be alphanumeric and include special characters, though it helps.

On the contrary, effective passwords could be the first several words or a sentence of a favorite song or poem or the name of a family vacation spot, for instance. These are not as obvious to detect like a child’s birthdate or an old home address, which can be found more easily in an internet search.

Research on how hackers think suggests that having school staff members “change their passwords three or four times a year also doesn’t make things more secure; it just means there’s a different post-it note [containing a different password] that sits on their desk,” he said.

Finally, Cloutier said to treat a school password like a toothbrush: “Don’t share it, and change it often.”

Emily Ann Brown covers education technology and STEM education issues for LRP Publications.

Copyright 2018© LRP Publications, Education Daily®