3

When you create user logins in bulk, with set passwords as many users are unlikely to change their passwords, how do you disseminate the information?

Students in our school division are automatically assigned a username and password after registering. I know some schools print out a large list of usernames and passwords and guard them in a binder (and, presumably, homeroom teachers pass out student's login information). [Yes, I know that users should be able to create their own passwords. It has hitherto been untenable to make that work, and, unfortunately, I'm not sure how easily we could change things, technologically or socially, not to mention that some of the students use computers infrequently, and not have a good opportunity to set a new password, leaving their account vulnerable to anyone who could determine their username (not hard) and log in.]

While I know that these are not high-security passwords, I would like to keep them safe. I have also found that staff members ask, "When will this account be created?" (a few hours after the student is properly registered, thank you) and what is the password (I don't know off the top of my head). If it wasn't so insecure, it'd be nice to e-mail secretaries the new passwords to pass on (and whole lists at the start of the year, for that matter). I'd use encryption, but, as office staff's technical ability ranges the gamut, I loathe trying to explain how to decrypt the file. I don't really want to distribute information in printed form, as it is insecure and lists would need to get to a dozen sites. We do have a system staff can log into to look up students, but it doesn't know for sure if the automated system has created the account.

Are there any suggestions on how to responsibly distribute login information?

Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61

3 Answers3

5

You might want to look up the key distribution problem (Google reveals lots of info), as the problems you've outlined are fundamental to a lot of theoretical and practical cryptography. Generally the username is not consider secret; for lots of sites it consists of an email address, and for lots of academic establishments it consists of a student's initials suffixed by an integer for uniqueness. This tends to make usernames easy to find out. Indeed, some academic establishments use them actively and publicly to refer to students. The password is the most important, of course, in this type of security. It should be set to an initial value (unless you can ensure that the initial password will be entered by the student in controlled conditions, such as after initial registration), and this should be changed by the student upon first logging in. This should be enforced, otherwise there's no way of knowing if the password has already been compromised. If the student logs in successfully and changes the password, it doesn't matter if the password has been read before, as it's now been changed. If the student can't log in, the password may have been compromised, and therefore this will be detectable. This is the same basic method that banks use to issue PINs for credit cards - although most people don't bother to change the PIN they've been sent.

It's important to ensure that students log on at least once, in order to change the password - perhaps by sending their timetable or something by email (if the email is linked to the system account), or copying a file to the user area.

Staff should never be told the password, and this should be enforced site-wide. Indeed, no-one except the student should know the password.

As for the distribution of the initial password, you could print a letter for each student and ask them to collect it (although this would take a lot of time), distribute it to tutors or mentors (sealed - although not providing any security, enforcing the password change will see to ensuring that a password hasn't been cloned), or post it to their address. I wouldn't print a list of passwords at any point, really.

lime-like
  • 96
  • 1
1

I don't know the state you're in, but if you're talking about a public school, where we are we had the directive that we had to have changing passwords from the state auditors. That was the requirement as given to me, anyway.

In our case we had minimum complexity requirements and aging requirements placed on us.

It was all set with Active Directory, where you can set it to force a password change at first login, and how long between password changes (for us three months). Complexity for ours was something like not the same password as the last three used, can't have your name or username as part of the password, must have a number/punctuation/cap/lowercase mix (some mixture of the three).

This way when users need a password changed, we just change it to something generic (Resetme54321, for example) and then the first time they log in with it, it prompts them to change the password.

We also have policies that are supposed to be followed; teachers aren't supposed to have the passwords (some have to for certain reasons I won't get into) but it's made clear...or we try to make clear...that if Johnny's account is used to get into a share or poke in places it's not supposed to be in, Johnny gets called to the principal. If a teacher also has the password, they can potentially be in trouble as well, since they had access to that account. So if johnnydoe was found browsing porn sites or bomb-making material online...anyone with that account information is suspect.

Again...don't know your particular circumstances, but if you're with a public school system and your department of ed has auditors checking your systems you might want to check with them what their requirements are before you're audited, or check with your state's equivalent of an IU (intermediate unit...for PA, they do things like provide tech and state services to a region of schools. Training. One near here does software licensing sales. Consultation, server maintenance, hosting...You can google for pennsylvania intermediate unit for examples of what different ones offer.) Different states probably do different things.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • Gee, I think there are only 70 school divisions in my province. We have 'zones' but I don't think they are nearly as hands-on as your IUs. The only auditors I've heard of here are the financial kind. I'm glad we don't have to operate under your requirements, but it would sure be good to be able to meet them. – Clinton Blackmore Aug 09 '10 at 21:02
  • Oh, it's tons of fun. They periodically audit things from procedures in student management to tech procedures to...well, I don't know, I'm not an (non-tech) administrator. But anyway, the password requirements aren't that horrible; it really is more like the type of requirements that major businesses prefer their employees work under (actual password requirements, non-sharing passwords, etc.) It also illustrates what your users will do to get around your password requirements and disregard your policies, often blatantly. – Bart Silverstrim Aug 10 '10 at 09:39
1

My co-worker recommended outputting the lists of credentials into an encrypted PDF file. I think this makes a lot of sense, as then I only have to give a password to the principal at each school, he can share it with staff, and, when anyone opens the document, they will be prompted for the password to decrypt it automatically.

I could even make it so that staff could not print the document, but I expect that would make a lot of people unhappy with me and accrue no real benefit.

Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61