Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Education Privacy Security

Ask Slashdot: How To Keep Students' Passwords Secure? 191

First time accepted submitter bigal123 writes My son's school is moving more and more online and is even assigning Chromebooks or iPads to students (depending on the grade). In some cases they may have books, but the books stay home and they have user names and passwords to the various text book sites. They also have user names/passwords to several other school resources. Most all the sites are 3rd party. So each child may have many user names (various formats) and passwords. They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids. However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation. Do others have good password management suggestions or suggestions for a single sign-on process (no/minimal cost) for kids in school accessing school provisioned resources?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How To Keep Students' Passwords Secure?

Comments Filter:
  • by NotInHere ( 3654617 ) on Thursday September 25, 2014 @04:36AM (#47991477)

    They log on on one site, and use that login to log in to all other sites.

    • OpenID (Score:3, Insightful)

      by Anonymous Coward

      THis, or just write them down in a notebook. Who cares about those passwords anyways? They are kids for christsake. Just give the teacher admin password to reset and change everything. They WILL steal eachothers passwords, they will share them, they will make up "funny" passwords if they get to choose. They are kids, let them be kids. Being impulsive, naive, and, well, juvenile, is integral part of being a kid. Also, they already remember all the important passwords, such as their facebook, online games etc

      • Re:OpenID (Score:5, Insightful)

        by Cenan ( 1892902 ) on Thursday September 25, 2014 @05:58AM (#47991745)

        I tend to agree with this. Don't take away all the risks from these kids, they need to learn about the consequences of insecure passwords sometime. So their home page shows up in all pink, or all their notes have been translated to Ancient Egyptian - better now than when the stakes are higher. And they'll learn the lesson much better from personal experience.

        • I tend to agree with this. Don't take away all the risks from these kids, they need to learn about the consequences of insecure passwords sometime. So their home page shows up in all pink, or all their notes have been translated to Ancient Egyptian - better now than when the stakes are higher. And they'll learn the lesson much better from personal experience.

          Wholeheartedly agree. I would require my child to use the password(s) regularly and not rely on some tool to store them where they don't know what they are and can't remember them should something keep them from the application containing them. People don't know or forget passwords because they don't actually use them. I see this ALL THE TIME! People store their passwords and then forget them ause their brains aren't being used to store and recall them on a regular basis. I have only a few passwords that I

      • On the other hand they are kids so now would be a good time to teach them good habits such as password security.

        • On the other hand they are kids so now would be a good time to teach them good habits such as password security.

          One of the best ways to do that is let them abuse each others accounts. While it's still something relatively harmless that gets trashed.

          • DAAAD. Why does my facebook say I like boys?

            We've been over that, you didn't use SSL. I intercepted your stream and rewrote it.

      • by thieh ( 3654731 )

        Who cares about those passwords anyways? They are kids for christsake. Just give the teacher admin password to reset and change everything. They WILL steal eachothers passwords, they will share them, they will make up "funny" passwords if they get to choose. They are kids, let them be kids. Being impulsive, naive, and, well, juvenile, is integral part of being a kid. Also, they already remember all the important passwords, such as their facebook, online games etc.

        Better question: do we want that to be an opportunity to teach them how to manage passwords/manage their own system so that their bad habit don't stick with them all the way into old age homes?

        • It's not like they're going to completely avoid explaining/teaching them how to do this. Just tell them, allow them to screw up and then *grade* them on their performance like you do with every other subject you teach them. Password security is easily infected with paranoia and being over done. At the elementary school level, it's not like there's anything worth keeping under heavy security.
      • by ami.one ( 897193 )

        Replying to undo wrong moderation

  • Yes! Use a password manager. But then also add 'a third password' to it, in the form of a finger print scan via a USB Yubi-Key for two-factor identification. Similarly you can also 'authorize' your specific mobile devices, (which can't accept a YubiKey). It's a hassle, but it is also an investment in security; which is how these things always work.

    http://help.passpack.com/knowl... [passpack.com]

  • Keep It Simple (Score:4, Insightful)

    by Okind ( 556066 ) on Thursday September 25, 2014 @04:54AM (#47991535) Homepage

    For children age 6 and up, and also for adults, the most important thing is to Keep It Simple.

    Writing down passwords is actually a good thing for adults, as long as the passwords are written down in a secure place. A note in your wallet qualifies, as you know how to keep your wallet secure (right?). This is even more secure than a password safe on your smartphone: inputting a strong password is a pain (and easily observed), and witht it your sm artphone becomes a prime target for theft (if it isn't already).

    For children of 6 years old and older (I'm assuming a US centric view here, triggered by the word 'elementary'), the situation is not that much different. The only problem is that children at this age usually do not have a wallet.

    This is then the only problem to solve: creating a secure place to write down passwords.

    • A note in your wallet qualifies, as you know how to keep your wallet secure (right?)

      I've been doing this for years for all sorts of passwords. But I take it one step further just write it on things already in your wallet. I write my pin on my bank card and the bank card is in my wallet and I keep my wallet in my back pocket so it's always with me. Now no one can get at my money or password.

    • From what I've read, writing your passwords down *in a slightly changed form* and then keeping the list relatively secure like in your wallet, is actually best practice. It's impossible for an online attacker to get to, and even if someone does steal your written list, it is unusable to him assuming your alterations are decent.
  • by RDW ( 41497 ) on Thursday September 25, 2014 @04:58AM (#47991547)

    However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation.

    Bruce Schneier says:

    "Microsoft's Jesper Johansson urged people to write down their passwords.

    This is good advice, and I've been saying it for years.

    Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

    https://www.schneier.com/blog/... [schneier.com]

    • by s.petry ( 762400 )

      Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down.

      Bull spit. The problem is that people are using dictionary words in their passwords to begin with, and there are surely viable alternatives which are absolutely able to provide memorable strong passwords without dictionary words (company names, acronyms, usernames, etc..).

      As with many other perceived problems, a lack of education and complacency are the real culprits here. Instead of blaming users for bad passwords, put the blame on executives that refuse to educate people, and further refuse to enforce p

      • Dictionary attacks are not the only attack vector now days. With all of the account server break-ins lately, a very big problem is people re-using the same password and login (often an email address) on different websites. So if your account to l33twarez.com gets compromised and you used the same account info as your email or bank, then those too are compromised. This has been a big problem with online gaming for years.
        • by s.petry ( 762400 )

          I agree, but as with above this is a problem with eduction. If you teach people to use different passwords, and provide them a method of generating different (yet similar) passwords the problems are greatly reduced.

          When was the last time you heard your security team remind people not to re-use passwords? This is of course in addition to training people on strong memorable passwords. If you can't remember, something is wrong.

          As much as security experts enjoy hacking and finding vulnerabilities, their job

  • Excellent password manager. Syncs an AES-encrypted file to all your devices. It also has plug-ins for most web browsers (Firefox, Chrome, Safari) that allow you to login automatically on a web site. I personnally don't use the plugins, but it's really good on both Android and Mac OS X.

  • RFID chips (Score:4, Funny)

    by LookIntoTheFuture ( 3480731 ) on Thursday September 25, 2014 @05:02AM (#47991567)

    How To Keep Student's Passwords Secure?

    How about we do away with passwords and have the kids get mandatory, government issued, RFID chips imbedded under their skin. Problem solved!

  • by gweihir ( 88907 ) on Thursday September 25, 2014 @05:04AM (#47991571)

    Just make sure they understand to keep the notebook safe. Ideally, they would write them down in a diary or the like, that contains other private information, bit at least here only girls usually have these.

    • I think the part about keeping passwords secret for the 6-12 year old range is really just to teach them good habits. The world isn't going to end if someone breaks into the site where they get their daily reading or math assignment. The teacher can probably just reset the account if something was messed up, and give them a new password. After that agent may become more of a problem, but by them it would probably be a good idea for the kids to have a device like an iPod touch where they can have a password
  • Tell them to put them in a notebook. Accept that they will get shared. If that bothers the school admins, too bad.

    I have a feeling that this school is wasting a bunch of money on stuff "third party" salesmen have sold them, but that is another issue.

    • by mbone ( 558574 )

      Oh, and probably most important - parents should make sure they have a copy of the ID's passwords needed to access "third party" resources, to avoid the inevitable loss of notebooks.

  • by Engeekneer ( 1564917 ) on Thursday September 25, 2014 @05:29AM (#47991629)

    I think the question is completely wrong, it's not how they should remember their passwords. It's why do they have several usernames and passwords in the first place?

    First the resources that are school controlled should of course be behind one username/password pair, preferably SSO for the web parts (e.g. a CAS variant is quite simple).

    For external resources, is there a real reason they really need to log in? E.g. can IP based access control or something work for some cases. I understand you don't control everything, but as users(/customers) one can at least complain, and try to push it in the right direction. If there is a reson to log in, do they support something like Shibboleth/SAML or OpenID for login federation? If so, that should be used. It's not trivial, but making the lives of the students hard for something stupid like that is even worse

    I think that for an elementary school student, if the amount of username/password pairs they need is over 1, there's something wrong somewhere.

  • Notebooks are non-installable (no e-viruses), portable, inexpensive, and do not require access to a third party online service (school access whitelists work).

    They are as secure as they need to be - students are to use their own notebooks and note share them, and as long as a notebook is closed it is secure from prying eyes. These aren't nuclear codes, they're access to textbook sites used by grade school kids. If you're so concerned, have your child get a small, pocket sized notebook and write them down th

  • Have you seen Memento?

    • Yes, but I don't want to visit a tattoo parlor every 90 days (when I have to change my work password), and my forearm is only so big.

  • It works. Creates secure passwords. Stores them.

    Easy.

  • They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids.

    Yeah, it's still a crime, but at least the Software Protection Authority and Central Listening won't find out about it that way, right?

  • It is better to have a good password written down somewhere, than using the name of your dog and knowing it by hard.
  • Rhymes can stick nicely in the mind. Twist a rhyme to form a password. Jack and Jill climbed up the Pill would stick in most kid's minds. Or twist a popular phrase. Jose can you see instead of Oh say can you see might work.
    • by SpzToid ( 869795 )

      Fish heads, fish heads, roly poly fish heads. Fish heads, fish heads, eat them up. Yum!

      https://www.youtube.com/watch?... [youtube.com]

      REFRAIN
      Fish heads fish heads roly poly fish heads
      Fish heads fish heads eat them up yum

      REPEAT REFAIN

      In the morning laughing happy fish heads
      In the evening floating in the soup

      REFRAIN

      Ask a fish head anything you want to
      They won't answer they can't talk

      REFRAIN

      I took a fish head out to see a movie
      Didn't have to pay to get it in

      REFRAIN

      They can't play baseball they don't wear sweaters
      They're not

  • Grille [wikipedia.org]
    He could have a folded one in his wallet or whatever. If he loses his notebook, it's just a random set of letters.
  • Don't expect them to get it perfect the first time. And depending on their age, don't start them off with what you'd consider the best final approach. You're in a school, treat it like any other learning experience.

    Just using passwords may be a new experience for some of them. Start with the basics. I wouldn't focus too much to start with on "strong passwords", they can work on that later. For now, work on selecting a password they can remember, NOT sharing their password, and changing their password a

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday September 25, 2014 @06:50AM (#47991941)
    Comment removed based on user account deletion
    • by FhnuZoag ( 875558 ) on Thursday September 25, 2014 @07:07AM (#47992013)

      I think you are totally right here. The phrasing of this question as being about 'security' is actually totally off base. From the student's perspective, there is no advantage to security. Only the textbook publishers actually benefit from security - they don't want people who haven't paid for the textbooks to read them.

      For the student, what he or she actually cares about is being able to easily access he or her school stuff. The worst case scenario is not someone stealing his or her password, it's not being able to recall his or her password and thus being unable to participate in class. Lastpass etc is overthinking it. Just set the password to something simple and easy to remember, and write it down just in case they forget.

    • You took my response!

      When it comes to security, I always try to drive the idea home that security is always a balance between "creating easy access for authorized users" and "making unauthorized access difficult", and where you strike that balance should always depend on the context of how easy authorized access needs to be vs. how hard unauthorized access needs to be.

      So in this case, your child probably doesn't need very good security. There are no state secrets, no business documents to be hidden from

  • Most kids are required to have school IDs now. Write the information on a card of the same size as the ID, laminate it, and attach it to the lanyard that holds the ID.
  • Issue the students smart cards or integrate them with their student ID. The costs have smartcards have come down so much now that my local laundromat uses them in place of coins. If a student loses their ID, an administrator simply deactivates the card.
    • by Proteus ( 1926 )

      The cards aren't the core cost, it's the infrastructure and hardware to support them. How does the smartcard work with tablets? How does it work with Chromebooks? And so on.

  • "The dog chased 3 chickens around the house."=Tdc3cath. "I use Google to write emails to Grandma."=IuGtwetG.
  • If the school is going to have access to this notebook, assume from day 1 they are going to use it to log onto your child's account and monitor it, thus you should encourage your child to only use it for school activity and not for any personal activity. Schools have done worse.
    • For that matter, assume the school always has full remote access to the hardware they issue to the students. Same reasoning. Don't log into personal accounts from those devices or do anything personal on them. Remember the case of the school that issued laptops to students only to spy on them with the webcams... hopefully nothing like that will happen to you, but at the same time it's prudent to keep anything the school has access to cleanly separated from your child's personal life.
      • by KitFox ( 712780 )

        I'm the technology manager at a school but beholden to a larger "Management" company for a lot of my processes. In our case, we can't afford to issue laptops or tablets or Chromebooks to students, however it is absolutely true that we have access to everything everybody does on school computers. This includes students and to some portion, teachers. We tell everybody straight out with big, bold text that we have access, but people do stuff anyway.

        Tuesday, a new employee got onto his computer for the first ti

  • I'd say keeping the list in the last page of a notebook or binder should be sufficient... and I feel like it's pretty reasonable for the teacher to have a copy of the students passwords in case they lose/forget the notebook.
  • Master password system of some kind is about the only reasonable solution. KeyPass etc.

  • What assets are you protecting? What is the risk?

    1 ) If the account is compromised can you get access to it again via alternate means?

    Be the parent. Have all of the accounts go to an email box you control, or have all of the accounts go to an email box that you know you can get access to beyond the password. In case of breach make sure you have a path to regain access and control.

    2) What are the accounts for? Minimize the risk.
    Don't allow the kids accounts to be an attack vector for *Y

  • Use Dropbox (or any cloud service that sync local files) and Keepass 2 (open source) to keep them in an encrypted file that is shared among anyone. You can also do group file sharing in dropbox, though I don't do that with my passwords file.

    The keepass file is encrypted.
    I've done this for several years. It's awesome. It allows you to change your password for the same site without depending on some algorithm to lock you into only one possible password for that site.
    You can add and edit the file and it sync

  • Create a SINGLE algorythm to generate a password based on the item/program.

    Start with a core that involves a Capital letter, a lowercase letter, a number and a symbol. You want it be about 7 letters long, something like this:

    Sp1tab$

    ALL your passwords will start with that. Next decide if you are going to use the first, second, last, or second to last letter.. Let's go with "first"

    Add the "first" letter of the name of the device/software for which you are using a password. Then add the "first" l

  • what ou are securing as much as it's about the secrity.

    I it just access to text books? then who cares. Are we worried one to many of the kids might learn?

    Writing them down is fine for what we re trying to protect.

    That said, it's a good time to teach them how to make easy to remember hard to crack passwords.

    "Mary_Had_A_Little_Lamb_2004"
    As an example.

  • Writing down passwords isn't an automatic fail—it just means you need good physical security on whatever you write them down in. A notebook is bad advice, but writing them down on a wallet card or similar wouldn't be too bad.

    Something like LastPass is probably your best bet, since it works everywhere (including Chromebook); though it isn't free if you want to use the mobile app, it is pretty inexpensive. Of course, if LastPass has an outage, you're gonna have a bad time.

    As a security professional, I

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...