Friday, March 16, 2012

Student Email not Secure?

I walked by a 4th Grade student who was upset another student was looking at his password. While he had a genuine concern I had to chuckle because he shares the same password with 3,000 other students.

Yes, most students in MMSD share the same password, and the user name can be easily retrieved by looking in the library card binder, or computer number in the computer lab. If it is any relief to the upset mother it was most likely a student in her daughter's class.


The police officers are right. 11111 is not a secure password especially when shared with 3000 other students. Well at least no one is using the most popular password on the net, the one Anonymous always attempts first, 1,2, 3, 4, 5.

One area I would correct the mother is Gmail being needed for homework. Gmail is tied to many services such as web searching, Google Docs, Google Presentations that students need to use for research and school work. The Goog allows a student to start a project at school, pick it up again at Dad's and then finish it at Mom's. So, its not really as simple as saying students should not have email.

Here is the dilemma, we can have a single password that is the same for all students and therefore simple enough even a Kindergartner can remember it, or we can have secure ones that include symbols, uppercase and lower case letters and numbers that we can't remember without some recording device. The latter is insecure too because it has to be written down since it cannot be easily memorized.   I personally use a special program that allows me to have 30 character long passwords.

Lifehacker has some suggestions of using secure passwords that are difficult to hack for humans and computers alike, but are easy for the user to remember.  First come up with a base word which could be first letter in every word of a song, or a name and then build complexity from there.

I will use nate as my example. I could add the letter above each letter in my name such as nhaqt5e3. For added complexity I could capitalize the letters in my name NhAqT5E3. For younger students it might be their name and the number of letters afterwords nate4. As students age the passwords can get stronger.

We do notice there is a big problem with more secure passwords, control. If you are dealing with 3,000 student accounts, it is much easier to manage them if they are all the same. Currently if there is an issue with a student it requires an email from the principal to get the account suspended.  What we need is a system where the librarian, REACH teacher, or administrator can quickly change passwords and suspend accounts if necessary.

Here is what should be done.
  1. De-link all Gmail accounts from the Novell Log In. Gmail should have a separate log in from the computer log on. Currently Gmail accounts are linked to the Novell log on. 
  2. Suspend all elementary Gmail accounts until librarian / REACH Teacher introduces it.
  3. A technical solution in which passwords can be changed and accounts suspended at the school level.
  4. Librarians teach about the rights and responsibilities of Gmail before students gain access. Students should know that their MMSD email is not a personal account and should not be treated as such. They should assume that parents or teachers can access their accounts.
  5. There should be training for both students and teachers on creating secure but easily remembered passwords. Way too many teachers still use district assigned passwords based off of private information.