K12 classrooms–and most families–have bad password practices. Passwords for Google Classroom accounts are often derived from usernames. That password is then reused when signing up for other online accounts. This violates three of the most important rules of protecting online privacy and identity. From Krebs on Security:
- Do not use your network username as your password.
- Avoid using the same password at multiple Web sites.
- Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.
xkcd explains the dangers of password reuse.
“Password reuse is what really kills you,” says Diana Smetters, a software engineer at Google who works on authentication systems. “There is a very efficient economy for exchanging that information.”Kill the Password: A String of Characters Won’t Protect You | WIRED
At most schools, student identities are protected by weak passwords trivially derived from usernames and reused everywhere. Once someone gets ahold of your email password, they can reset your passwords elsewhere and pwn your life. When you reuse passwords, a data leak on a forgotten site can be escalated into takeover of your email and your identity.
What to do? The Smart Girl’s Guide to Online Privacy by @violetblue is a great primer on privacy and passwords. Chapter 10, “I Hate Passwords”, is eleven pages of good advice on creating and managing passwords–from which we crib below.
TLDR: Use a password manager and never reuse passwords.
If you decide to use a password manager, these great little apps can generate really strong passwords for you whenever you need one. You can also use password generators on trusted websites, such as LastPass or Norton.
Follow these rules and you’ll get better passwords:
Smart Girl’s Guide to Online Privacy
- Make strong passwords that are at least 12 to 16 characters long.
- Don’t use pet or family names.
- Don’t use your address, Social Security number, birth date, or other personal information.
- Never recycle or reuse a password— not even once.
- Don’t let Chrome, Firefox, Safari, or any other browser save passwords for you.
- Use password phrases (usually six or more words long) for the best security.
- Include capital letters, numbers, and symbols if the app or site allows it.
But the best passwords are those generated by password managers.
Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them.Choosing Secure Passwords – Schneier on Security
Password managers like LastPass and 1Password save all of your passwords safely in a vault and encrypt everything. That way, you have them all in one place, no one can accidentally discover them, and you can make really complicated passwords, because the manager will keep track of them (and remember them) for you. You use one master password to unlock the password manager, and it saves and encrypts your passwords either locally or on its site. Most of these applications also have crazy-awesome password creators that you can and should use to generate super-strong new passwords with one click— and the password app automatically saves them for you.Smart Girl’s Guide to Online Privacy
The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can’t remember. In an era well before the birth of Have I Been Pwned (HIBP), I was doing a bunch of password analysis on data breaches and wouldn’t you know it – people are terrible at creating passwords! Of course, we all know that but it’s interesting to look back on that post all these years later and realise that unfortunately, nothing has really changed.
The strength of most passwords is terrible. Then they get reused. Everywhere. That post was my own personal wakeup call; it was the very point where I observed that what we all needed to do was to “liberate ourselves from the tyranny of passwords”, as I said at the time, and that’s precisely what I did: I went and bought 1Password and I’ve been using it every single day since across all my devices.
I use 1Password to generate passwords. You can adjust the password recipe to accommodate any site’s password rules. Here’s the recipe I usually use.
That’s 50 characters of random, which makes for a good password. Most sites will accept 50 characters, but there are still plenty out there that balk at passwords over 8, 10, 15, or 20 characters in length. Banks, unfortunately, are known for their short password limitations (and crufty password advice). I start at 50 and work my way down. “Complexity is nice, but length is key.” Go for long passwords.
Update: The NIST recently announced new password rules that recommend sites allow a maximum length of at least 64 characters. 1Password updated its password generator to support a 64 character maximum.
When choosing a password manager, get one that runs on all of the devices you use. I’ve used 1Password for years. It offers iOS, Android, Windows, and Mac clients. It can sync your passwords between devices via iCloud or Dropbox. If you need to share passwords among family or team members, check out 1Password for Families, 1Password for Teams, or 1Password for Business. Stimpunks uses 1Password for Business, which includes 1Password for Families for free for everyone on our business plan. In addition to personal vaults for everyone, we have a vaults for various teams in the organization. Having log in information for all accounts in shared vaults improves our bus factor.
How Passwords Are Stolen
Be realistic about your threat model. State-sponsored surveillance and hacking aren’t in the thread model of most families or organizations. Protect yourself from the much more real threat of phishing by using a password manager, unique passwords, and two factor authentication.
Here’s one thing to know: if a teacher, boss, TSA agent, police officer, or anyone else tells you that you have to give them your password, you shouldn’t do it unless you know it’s against the law not to.
When sharing passwords with family, consider using a password manager that accommodates shared vaults. Though I haven’t used them, there are also tools for sharing streaming video accounts.
Surveillance, Privacy, Ethics, and Trust
“In the educational domain we see a lot of normalisation of designing computers so that their users can’t override them. For example, school supplied laptops can be designed so that educators can monitor what their users are doing. If a school board loses control of their own security or they have bad employees, there’s nothing students can do. They are completely helpless because their machines are designed to prevent them from doing anything.”
“We have this path of surveillance that starts with prisoners, then mental patients, refugees, students, benefits claimants, blue collar workers and then white collar workers. That’s the migration path for surveillance and students are really low in the curve. People who work in education are very close to the front lines of the legitimisation of surveillance and designing computers to control their users rather than being controlled by users,” Doctorow says.
Surveillance in education can also interfere with the educational process, he says, because “nobody wants to be seen fumbling. When you are still learning, you don’t want to feel like you are being watched and judged.” Doctorow adds that, due to their lack of power, students have limited options to take control of their learning and the digital tools they use.
“I talk to students, often younger students, who say they don’t worry about surveillance because they know how to block it out; they use a proxy or something else. But, first of all, those students can get in a lot of trouble for it. In America, they could actually be committing a crime and they could go to jail for it. It also doesn’t solve the overall problem; it only solves it for them. So I’ve often said to students that rather than breaking the rules, they document the absurdity of the rules and demand that adults account for it.”
“The censorware companies mostly work in the Middle East in repressive regimes who buy it on a mass scale to try to control the flow of information in their countries. Students should contact journalists, the school board and the parents’ association and ask why they are giving money that was meant to be for their education to war criminals who spy on us.”
Handing over data, often quite thoughtlessly, has become par for the course – in education and in society more generally. Although privacy experts have urged parents and educators to be more proactive about protecting children’s data and privacy) – while using Pokémon Go and other data-hungry apps – we now live in a culture of surveillance, where data collection and data extraction have become normalized.
Surveillance starts early. “Quantified babies” and “Surveillance Barbie” and such. Rather than actively opting children out of a world of tracking and marketing, parents increasingly opt them in – almost always without their children’s consent.
Has our confidence that we or our students have “nothing to hide” changed now under President-Elect Trump?
Surveilling students, so we’re told by this sort of ed-tech futurist PR, will help instructors “monitor learning.” It will facilitate feedback. It will improve student health. It will keep students on track for graduation. It will keep schools safe from violence. It will be able to ascertain which student did what during “group work.” It will identify students who are potential political extremists. It will identify students who are suicidal. It will offer researchers a giant trove of data to study. It will “personalize education.” (More on this in the next article in this series.) Tracking biometrics and keystrokes will make education technology more secure. (Spoiler alert: this is simply not true.)
“Big Brother is coming to universities,” The Guardian pronounced in January, although arguably this culture of surveillance has been a part of education for quite some time. But undoubtedly new digital technologies exacerbate this. The monitoring of students is undertaken to identify “problem behaviors” and in turn to provide a revenue source for companies willing to monetize the data they collect about all sorts of student behaviors. “Enabled by Schools, Students Are Under Constant Surveillance by Marketers,” as the National Education Policy Center cautioned in May.
- Smart Girl’s Guide to Online Privacy on Tumblr
- Smart Girl’s Guide to Privacy offers practical solutions for privacy blues
- Surveillance Self-Defense: Tips, Tools and How-tos for Safer Online Communications
- Choosing Secure Passwords – Schneier on Security
- Exploring the Market for Stolen Passwords — Krebs on Security
- Top Ed-Tech Trends of 2016: Education Technology and Data Insecurity