2 Password Management
Basics
User credentials, more familiarly known as usernames and passwords, are ubiquitous in our lives. Even our youngest students have user credentials they need to use to access district resources, such as a tablet, laptop, or district-approved software that may include systems that contain student grades and other information that should be kept secure.
Passwords are one factor in protecting individuals, information, and resources connected to your network, but many people still follow outdated password guidance or simply act irresponsibly with them. In schools, you’re likely to find passwords written on desk name tags, on stickers on devices, and hidden under keyboards or in desk drawers. Your district should employ both technological as well as human-based strategies to help everyone in your district--even those four and five year olds--keep their user credentials safe from everything from pranks by other students to truly malicious attacks.
Terms to Know
You should know the following terms:
- Acceptable Use
- Access Control List (ACL)
- Azure Active Directory self-service password reset
- Credentials
- Brute-force Attack
- Dictionary Attack
- Mnemonic device
- National Institute of Standards and Technology (NIST)
- Passphrase
- Password/Passphrase Complexity
- Password
- Password-manager software
- Personal Identification Number (PIN)
- Privileged access
- Privileged Access Management (PAM) solution
Information
How to Create Strong Passwords/Passphrases
You probably have many different accounts with passwords--maybe dozens of them? You might also have longer passphrases and four-digit PINs (Personal Identification Numbers) you can add to your list. We all have and use passwords, but just how strong are your passwords? How difficult are they for others to figure out? How about cybercriminals with password-cracking software that has no limit of patience for trying an infinite number of combinations?
Cybercriminals rely on software to run though millions of potential password solutions in a very short time. They’re sitting around keying in different combinations. The software performs the attacks for them. Two of the most common forms of attacks on passwords include:
Brute-force Attack: A method hackers use to crack a password by trying all possible combinations. If a hacker was trying to access an account and didn't know the password, they might use a program to try every possible combination of characters. For example, the program might start with "a," then "b," then "c," and through to combinations like "aa," "ab," "ac," and so on. This is an example of a brute-force attack. The more complex the password, the longer this type of attack takes.
Dictionary Attack: A method hackers use to crack a password by systematically entering every word in a dictionary as a possible password. In a dictionary attack, a hacker would use a program to systematically try every word in a dictionary as a possible password. For instance, it might start with "aardvark" and go to "zymurgy." This type of attack can also include common substitutions, like "0" for "o" or "$" for "s." So, a password like "p@ssw0rd" might be more vulnerable to a dictionary attack than you'd expect.
The best defense against these attacks is a strong offense, meaning you and all of the staff and students in your school(s) or district should follow expert guidance on creating complex passwords that can stand up to attacks. Many people are familiar with the popular, yet outdated, password guidance of using eight characters including a mix of upper and lower-case letters, and at least one special character and one number. However, this guidance is no longer suggested. Luckily, there are guidelines on how to create strong passwords and some tips to help you remember them.
The familiar eight-character rules are outdated because of the software that is now available to crack short passwords. Users also often use weak strategies to incorporate numbers and special characters, like starting with an old password and adding an ! at the end or tacking on a number that they increase by 1 each time they are required to change it. The National Institute of Standards and Technology (NIST) no longer recommends mandatory changing of passwords at a routine interval as it encourages these poor password behaviors that result in weak passwords when people know they have to change them soon (NIST, 2022). Instead, they encourage IT departments to compare passwords to lists of known compromised passwords or blacklisted passwords.
NIST has released updated guidelines for creating stronger passwords. Everyone in your school district should be following these guidelines--including you! You should model strategies for creating and maintaining strong passwords. The guidelines refer to two major characteristics of passwords that makes them stronger: 1) their length, and 2) the complexity of characters in sequence. NIST recommends that account holders use the longest password permissible on any given system. And never the same password twice!
Longer passwords may be referred to as passphrases. Passphrases should be at least 14 characters long, but as noted above, can be much longer, up to 64 characters in some systems. Passphrases also follow the guidance of a mix of character types, some of which may be limited in different environments.
Password/passphrase complexity refers to the combination of characters (letters, numbers, and special symbols) that make up a password. The more complex a password is, the harder it is for unauthorized individuals or programs to guess or crack it.
Simple Password: A password like "123456" or "password" is simple and easy to guess or crack. It has low complexity because it uses a small range of characters and follows common patterns.
Moderately Complex Password: A password like "M0nkeyB1cycle!" is more complex. It uses a broader range of characters (upper and lower case letters, numbers, and special symbols). It does not follow a typical pattern making it more difficult for unauthorized individuals or programs to guess or crack.
Highly Complex Password: A password like "J4g%6Kl&9#Qz!" is very complex. It uses a wide range of characters in an unpredictable pattern. This pattern makes it difficult to guess or crack, even with sophisticated tools.
Below is a summary of NIST recommendations for creating strong passphrases in terms of things you should and should not do.
You should: | You should not: |
---|---|
|
|
One strategy for creating a stronger password is to use a mnemonic device, such as an acronym that aligns to a phrase you can remember. For example, if you can remember the phrase, “I like to skate on Sundays,” you can start with the first letter of each word: IltsoS. Thats a little short, so you can sound out some words with more letters, like “to” could be “2,” and “skate” could become “sk8.” Your new password is Il2sk8oS, which meets the 8-character minimum. If you wanted a special character, you could replace “2” with the special character on that same key, “@.” Your password is now Il@sk8oS.
In order to generate stronger passphrases with more characters, consider using a combination of strategies. In addition to replacing characters, begin by combining several short words together. Four short words can easily equal 16 or more characters. For example, if you look around your room, you may see the following: desk, cup, pencil, mouse. You can combine those with a mix of cases as DeskCupPencilMouse. To remove any words, you can replace some of the letters with numbers and special characters to end up with De$kCu99enci!Mouzz. That’s an 18-character passphrase that is more secure.
Creating credentials that are easy for young children to use can be difficult. Credentials that use parts of students' names, like first.last@schooldistrict.edu, is a pattern that is easy for hackers or other students to guess. Using student IDs or parts of them, like the first five or last four numbers, as a password is also easy for other students to hack into, especially since student IDs can often be found throughout the school and online, in places like on student name badges, class rosters, and cafeteria logs. Finding a balance between security and what emerging literate students can feasibly understand and remember can be tricky. If possible, have students use the same guidelines for creating a stronger password and consider using a password manager.
You’re going to have plenty of passwords and account information to remember both in and out of your job. Check with others in your Department to see if they recommend password-manager software that can help you keep track of them. Password-manager software relies on your using one, strong, master password to access all of the account information you are responsible for. There are a variety of options, but look for one that can work with multiple devices, like a phone, in case you are in a place you can’t access a laptop. Most should be able to generate secure, lengthy passphrases incorporating random characters. Your Department may want to standardize on one platform in the case you need to share credentials with each other. Some options to review include Bitwarden, LastPass, Keepass, and Roboform.
The Consortium for School Networking (CoSN) provides suggestions for selecting the best password-management tool in their Cybersecurity Toolkit. These include:
- Consider an enterprise solution that allows IT staff to support end users who lose or forget their master password.
- The password manager should be easy to use across multiple devices and easily updates individual credentials.
- The password manager should use strong encryption.
- You may benefit from a password manager that recommends strong passwords to users.
- Because we use so many passwords to access online resources, a password manager that integrates with your approved browsers can be beneficial.
- Confirm that password databases are routinely backed up and can be restored when necessary.
Acting Responsibly
Not all users will have the same level of access to resources on your network. This makes sense. Students should have access to all of the resources they need to learn but should only have access to their own grades and performance records. Likewise, teachers may need access to additional types of resources to support their teaching but shouldn’t need access to financial or HR data. Then there are the people who run the network, who need access to even more information and resources.
Your network will provide unique levels of access to different types of users based on an Access Control List (ACL). Different user types should be set to the minimum set of rights they need to conduct their work on your network.
While all staff, students, and other users of your network and devices have the responsibility to follow acceptable use guidelines, IT staff must take some extra steps when working, especially if a staff member has an Administrator account. Any time you are logged in as an Administrator, you should take extra care of what you do or which websites you visit and should limit your actions only to those necessary for that account. Administrative tasks are often completed on a designated device that is not used for email and has limited Internet access. If you log in as an Administrator on an unprotected device and inadvertently come across malware in an email, it could have disastrous consequences.
Administrator accounts have privileged access to accounts, processes, and systems on your infrastructure, such as installing software, shutting down systems, loading device drivers, configuring networks, and managing accounts. Your district may invest in a Privileged Access Management (PAM) solution not only to secure Administrator accounts but to change account passwords quickly when necessary. This can avoid the time-intensive task of manually updating numerous systems across your infrastructure, which may also introduce the potential for missing one and introducing a vulnerability.
Note that vendors may be asked to install equipment or applications on your infrastructure, such as switches or routers and applications to monitor them. Many new devices also come with weak administrator passwords. Administrator passwords for all new devices and applications should be changed, as the default passwords may be known by attackers. New devices should also be scanned to ensure their systems and applications are up to date. Follow guidance for creating strong passwords or passphrases, and never reuse them across devices. Multi-factor authorization is recommended to fully protect Administrator accounts.
Changing Credentials
If you are required to help users change their credentials, such as resetting a lost or forgotten password, be sure you understand the operational procedures adopted by your district. The password reset process can be a common source of cyberattacks and without following procedures correctly, you may unknowingly provide access to your infrastructure to a cybercriminal.
Some districts and many online resources now use an automated password reset process that can require MFA and allow users to access their account immediately. An administrator may have to set this up for some services, like Microsoft or Google cloud-based services, or it may be configured on a mail server, such as Azure Active Directory self-service password reset. If your district does not support this method, you may find yourself involved in the process when reset requests come in.
A critical step in changing credentials is verifying the person making the request. Multi-factor authorization can come in handy here, especially if your district uses smart cards or hardware for MFA. If not, you need to obtain some type of unique information about the person, such as an employee number, which may or may not be all that secure. Common secret questions like your mother’s maiden name and other information that is easy to find out about a person are poor methods of verification. You can call the user using their assigned district phone number, if they have one. In some districts, you may be required to personally visit a person and obtain identification, but this is obviously a time-consuming approach.
Once you have verified the user, you should know the steps required to securely reset an account, if that falls under your scope of work. One approach is to use a temporary password. If your district uses this approach, it can be strengthened by ensuring you use a unique temporary password each time. Reusing the same temporary password opens up your system to attack. The temporary password should be long, at least 14-16 characters and consist of random characters following guidelines for strong passwords.
Users should be notified of password reset requests, and your notifications should never include any of their credentials, such as their username or any past or current password. If you do have to use email to reset a password, hopefully your system can generate a unique password reset link that the user can use on their own. Verifying the user is critical before using this method. Reset links should be single-use only and should expire after a short time.
Additional Resources
Here are additional resources you may find useful:
- Password FAQs. Check out this handout for questions and answers some of your users might have about passwords and MFA. Feel free to adopt or adapt these FAQs for your own staff and students at your own school(s) or district.
- Choosing and Protecting Passwords, Revised November 18, 2019. Cybersecurity & Infrastructure Security Agency.
- Digital Identity Guidelines: Authentication and Lifecycle Management from the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce
- CIS Password Policy Guide. Center for Internet Security®
- Supplementing Passwords, Released February 23, 2023. Cybersecurity & Infrastructure Security Agency.
The role of password length in password complexity:
- JumpCloud - Password Length Better Than Complexity
- Lepide - Password Complexity vs. Length
- Microsoft - Password Must Meet Complexity Requirements
- Microsoft - Minimum Password Length
The debate on password length vs. complexity:
Additional Resources:
- 2022 Data Breach Investigations Report. Verizon.
- How to detect and prevent a SIM Swap attack by Doug Bonderud for BizTech Magazine
- Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset. From Microsoft Learn
- Aligning Your Password Policy enforcement with NIST Guidelines on BleepingComputer by Specops, a self-service password reset service provider.
Task/Self-Assessment
Complete the following task or self-assessment:
Take stock of your own password behaviors:
- Do you reuse passwords?
- Do you create strong passwords for every account you have?
- Do you have strong passphrases that are unique to every device and service you use?
Take time to clean up your own passwords and follow some of the guidance offered here.
Learn about your district's password management practices:
- Does your department recommend password-management software? If so, do you know how to use it correctly? If not, explore password-management software, whether presented here or suggested by a trusted colleague. Investigate the pros and cons and make a case to your supervisors whether it should, and if so, which software you recommend
- Know the standard operating procedures you must follow for keeping user credentials secure and, if necessary, changing them. Know the steps you must take to verify a user and how you can securely share their information before changing any aspect of their credentials.
Consider writing a step-by-step guide on how you would assist a user in creating a complex password. You can save it on your department’s website, make it available as a FAQ, or put it in your Knowledge Base. Your guide should include the following topics:
- The importance of password complexity and its role in protecting user data;
- The recommended length of a secure password;
- The types of characters that should be included in a password;
- The use of passphrases as an alternative to random character passwords; and
- Any other best practices for password creation and management.