Having a password policy within your school should be expected; having a password policy that’s easy to understand and therefore actually followed by your staff and students is the harder part. A strong password policy is a key part of your wider access control and identity management approach to reduce the possibility and probability of a cyber attack, and protect the school's assets. This blog post is intended to help your school make informed decisions about how staff and students create passwords.
Those responsible in your school for systems ownership, maintenance and development should work with your senior management to ensure that your password policy advocates a best practice approach that reduces the reliance on the user having to recall multiple complex passwords. The advice from the UK’s National Cyber Security Centre (NCSC) suggests that strong passwords are just one part of a comprehensive cyber defence that should also incorporate a greater reliance on technical defences and organisational processes.
The first and foremost action is always to educate staff and students on the importance of being vigilant with the management of their accounts. As well as understanding the implications of attackers gaining access to their accounts, this includes:
- Using strong passwords
- Implementing two-step-authentication (2FA)
- Not disclosing passwords to anyone
- Not accessing unverified websites
For a deeper dive into how to improve information security in your school, you can book a free workshop with one of our experts
So, what is a strong password? Passwords can be created by your staff and students themselves or they can be machine generated. Passwords created by a system or through technology will remove the human elements of passwords that a would-be attacker might be able to guess. They are composed of complex, unique patterns of letters and numbers which are hard to remember - great from a security perspective but not so great for recalling as a user.
The recommended solution here for governing machine-generated passwords is to use password management software for your system and service accounts. Common password management services that you may have heard of are: 1Password, LastPass, Dashlane. As with most technical services they come at a cost, whereas user generated passwords are a no-cost solution. However a common password management service allows for all passwords to be centrally logged and accessible by key stakeholders, including but not limited to members of the senior leadership team. You are also able to easily identify the age of the password and the number of times it has been used.
User-generated passwords, although free and easy to implement come with their own risks, often relating to the re-use of passwords, creating easy to guess passwords (such as favourite football team names), or using common password creation strategies (such as replacing the letter ‘s’ with a 5).
There are some clever password strength applications around which can support your staff and students with assessing how secure their self-generated passwords are. As with any web form or service that requests you enter information, make sure to take a cautious approach, particularly if it’s in conjunction with providing personal information.
Apple’s iOS 14 update is a good example of a user-friendly feature to support you with creating strong passwords for the applications. When typing in a password, your device will alert you to let you know if your details have been leaked. The software does this by using cryptographic techniques to securely monitor your saved passwords against a list of breached passwords, ensuring that your passwords have not been previously compromised in a data breach. Apple are adamant that this process is conducted in a private and secure manner that does not reveal your password information, even to them.
If we are to believe Apple, then this is a great little feature that forces users to actively think about the passwords they are choosing, as well as strongly consider other accounts where they may have used the same password. In all cases, you must change your password if you know or suspect it has been compromised.
Staff and students should also be cautious, however, about how they respond to technical prompts alerting to whether a password has been compromised or that the information entered is not complex enough. Complexity requirements may steer users away from the weakest passwords, but they might also encourage the use of guessable passwords as staff and students are likely to fall back on using personal information, numbers instead of characters, or common character patterns to generate their passwords.
For user-generated passwords, implementing a creation technique in your school such as three random words will help staff and students to create less predictable passwords. It’s an easy method to help your staff and students generate complex passwords that are easy to remember. The words you choose to use for your password should have no obvious connections, so avoid using a common phrase such as ‘readysteadygo’. Instead, your password should be an entirely random combination, such as ‘cactusweatherlamp’, or fridgegrassshipping’. To add complexity, random capital letters could be used to enhance your password security.
To raise awareness of using the three random words technique in your school, you can download 9ine’s poster.
If interested in finding out more about improving information security in your school, you can book a free virtual workshop with 9ine. The workshops will provide you with school specific knowledge for improving your technical and organisational measures.
If you manage passwords via Active Directory you are able to apply the following settings via Password Setting Object:
- Enforce minimum password length. Note it is not possible for the system to recognise three random words, therefore minimum password length is the most suitable method to be used alongside training and awareness
- Enforce password history to ensure users do not reutilise the same passwords
- Enforce account lockout policy in line with your organisation’s appetite to risk
You should avoid the use of:
- Forced complex passwords
- Password expiry (maximum password age as described in Active Directory)
These considerations described in this blog should be reviewed with Single Sign On, security monitoring, password denial lists and Two-Factor-Authentication.
ABOUT THE AUTHOR:
Cameron is a PMO at 9ine - providing governance and programme management across operations, sales, marketing and service. With a BA in English Literature, Cameron lends his hand to the occasional 9ine blog here and there.