As multiple systems and application become available to teachers, administrators and students, the corresponding number of required passwords also rises. And with the typical school administrator needing three to five passwords to access various databases or applications, handling the passwords through memory becomes another difficult task. A shocking number of students, school staff and even IT staff use passwords such as “12345” or “admin” that are easily guessed by snoopers. The pitfalls of lax password management practices can be data breaches, where proprietary school data or personally identifiable student information might be accessed.

Staff and students should avoid using personally identifiable information, such as a derivation of your name, phone number and especially date of birth or part of your social security number. While creating a strong and random password is essentially simple, take T6&ji*9R, for example, it’s difficult to make them memorable. The user gets around the limitations of their own memory by giving themselves easier access to the passwords. Perhaps they place them into a Word document that’s called “Passwords” or email the information to their unsecured personal email account.

Users should be instructed on the risks of reusing passwords or blending passwords from their personal life with those used exclusively for school systems. They should also be cautioned against sharing passwords, or allowing other users to access areas that contain individually identifying data.

Advanced password management systems offer remote access to password information with the security of top-level encryption such as AES 256. Such systems require the use of one master password that must be memorized by the user. Creating a unique but memorable master password can be quickly accomplished by following some best practices:
  • Encourage users to select a personal phrase such as, “Mrs. Smith’s geometry class is amazing.” Taking the first letter of each word in the phrase becomes MsGcIa. Alternating upper and lower case letters offers an additional layer of security. An additional safeguard is to add numbers to the beginning or end of the password. Students can choose the jersey number of their favorite sports star as a good source of random numbers.
  • A seemingly complex but easy to implement method is called the “upper-left” keystroke system. The user picks a real word such as “achieve” and then takes the key that is above and to the left of each letter in the chosen word. “Achieve” then becomes “qD83f3.” When suggesting this type of policy, it is a good practice to describe the procedure in person to staff and students. If the policy is plainly stated on the school website, clever hackers can do some guesswork to find the original real word and then quickly find the password.

Secure password management needs to be intuitive for the non-technical end user in order to ensure proper adoption. Establishing secure and available passwords protects schools from the embarrassment and potential financial consequences of data breaches.

Bill Carey is the vice president of Marketing and Business Development at Siber Systems Inc., Fairfax, Va., creator of software for both professional programmers and the general public. For more information, visit www.roboform.com.