School Decides To Harden Security By Giving EVERYONE The Same Password
from the eyes-on-your-own-papers,-please dept
Cyber security. It’s complicated.
Protecting against threats means determining what your threat level is. Demanding everyone utilize a 53-character password with uppercase letters, numbers, and “special symbols” generally just makes people more irritated, rather than more secure.
Obviously, things must be secured. And passwords shouldn’t be so simple that anyone with an off-the-shelf HP desktop can hack them.
But people in charge of security need to weigh perceived threats against security responses. What they absolutely shouldn’t do is hammer the RESET button without considering the consequences of their actions.
When we first enter school, we’re constantly told to “be on our best behavior.” Apparently, that same warning doesn’t apply to educators. An Illinois school did one of the right things: it asked for an audit of its security. Its response, however, indicated no one at the school security level was on their best behavior. Here’s Lorenzo Franceschi-Biccierai with the details for TechCrunch:
Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, “due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account.”
“To fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today,” the school, which has around 3,000 students, wrote in an email dated June 22. “We strongly suggest that your child update this password to their own unique password as soon as possible.”
Yikes. I realize a blanket reset is far easier than simply revoking passwords to force end users to create a new one, but this is all sorts of wrong. Even if the school didn’t have a Plan B for this occurrence, it could not have done worse than informing everyone that everyone has the same password until each individual made the effort to change it.
And this was handled during the school off-season, which means the email was likely ignored or back-burnered by many recipients. But those who did read it — and any malcontents who might have realized what this reset meant — now had all the information they needed to access any account run by this school.
Fortunately, this doesn’t appear to have attracted the attention of malicious individuals. And the school has performed another reset that is far less stupid. The new reset involves sending every user their own “special password” via email, which should limit the collateral damage.
But before the damage was mitigated, not only could people access other people’s stuff, but they also had no functioning option to prevent others from accessing their stuff.
Manning Peterson, the mother of an OPRF student, replied that “this is terribly insecure and you have just invited every single students [sic] accounts to get hacked.”
Peterson said that after this email, she tried to reset her son’s password but it wasn’t possible.
“My son and I were able to log into several of his peers [sic] google accounts, which gave access to all emails, papers, class work—anything saved on google drive (docs sheets and slides),” Peterson said in an email to TechCrunch.
Manning Peterson isn’t being paid to ensure the school’s systems are secure. But that’s the service she ended up performing. Offloading the security responsibility on end users isn’t a great way to handle perceived security flaws. Giving every end user the power to see every other user’s information is a horrendous way to respond to a security audit.
Things may be (at least temporarily) under control at Oak Park and River Forest. But this catastrophe isn’t going to ensure any student, staff member, or parent that further fuck ups aren’t inevitable.
Filed Under: cybersecurity, illinois, oak park and river forest high school, passwords
Comments on “School Decides To Harden Security By Giving EVERYONE The Same Password”
FERPA
This is almost certainly a major violation of the Family Educational Rights and Privacy Act. I teach and cannot even tell Billy if Sally came to class, much less show them Billy’s work.
In a sane world[1]…. this would not happen. In a only slightly less sane world, this would immediately result in people being… no longer employed. Possibly several people.
This is the security laps is some what like (give me a moment to think of a terrible yet somewhat appropriate analogy) … like setting up a booth in front of a grade school that reads “Free loaded gun!”, and then handing them out to anyone who approach. Yes you have (somewhat) limited your audience to those likely to be found near a school… but that really has no bearing how how terribly dangerous and irresponsible it is.
Also wtf? how did they even do that? Does Google actually provide tooling (since they said gmail accounts I assume it’s google’s software, but I am not familiar enough with related offerings to know) to reset large batches of accounts to the same password?? If so, shame on Google. If not, how the hell did it happen? Anyhow with the technical know how to implement this should have the technical expertise to know this is a bat shit terrible idea.
[1] Why yes, I am aware I am not talking about this world.
Re:
“security laps”
I assume you mean lapse, but that’s just me being picky.
“Anyhow with the technical know how to implement this should have the technical expertise to know this is a bat shit terrible idea.”
Two things – first, Google will provide tools but they can’t really manage every use of them. If you’re an admin then you should be competent enough without the tool trying to second guess you. If not, I don’t think they’re to blame any more than Microsoft is responsible for someone why decides to remove system32 just because they have admin rights.
As for the other point – this is often the problem in schools and other bureaucratic settings. The admin might be a student or someone earning minimal wages, and if someone above their pay grade makes a stupid demand, they might not be able to argue.
I’m not sure what happened here, but I’ve worked in places where some idiot did a site-wide change that wasn’t good policy, and I’ve worked places where the CEO or other management demanded stupidity and would take no for an answer.
High school: “Unfortunately that password is: 12345678910111213141516171819202122232425. We do apologize for any future inconvenience.
Re:
Naw, “for security reasons” they’d make it the first 25 primes.
Re: Re:
Not even close. The new “security approved” password is the final 25 digits of Pi.
Our administration all will be going on a cruise to celebrate the password rollout.
While we are out of town, please do not use the key under our front mat to enter our homes and rob us.
Security by Stupid.
Hell, why bother with a password at all?
Re:
That’s actually an excellent question. Why should schoolkids have to deal with passwords? Smartcards cost like a dollar each in bulk, and could easily be ordered as part of a student photo-ID card. It’d be more secure, and easier for the kids to deal with.
Re: Re:
And can they use those smart cards on their phones, tablets and home computers, so that they can submit their homework?
Re: Re: Re:
It seems like something that ought to be possible by now, but it’s taking excessively long to become mainstream (despite high-profile projects such as the USA’s Common Access Card). Most recent phones should be able to talk to NFC smartcards, in theory, and for kids without such devices, something else would have to be done. And doing the administration and tech support for that might be a pain in the ass, which I guess is how we ended up with passwords. Maybe one of those dongles that shows a 6-digit code would be easier.
But, as someone who went to school long ago, this focus on security seems a little weird. Our homework was “authenticated” simply by us printing or typing our name on it. I guess we could’ve written someone else’s name, but I’m not sure we even thought of it, and what would’ve been gained? What’s the intended benefit of all this technology anyway? Is it just so students don’t have to buy printers or paper? Why do high school students need to deal with school-related e-mails?
Re: Re: Re:2
Cards alone are not very secure due to the fact that they can be used by somebody other than the person they are issued to. They need something like a password to make them secure.
Re: Re: Re:3
Sure, though the password or PIN doesn’t have to be very good if it’s only usable with the card. Which brings us back to the question: what’s the threat model here? Tim wrote the squirrelly statement “Obviously, things must be secured”, which neatly avoids expressing any opinion on whether a student account is one of those things.
When I was in high school, we’d keep our files on floppy disks. And students would sometimes get into other students’ or teachers’ accounts by watching them type passwords, or guessing, but nobody much cared: there was nothing important or particularly private stored on the accounts. Maybe this school would’ve been better off having their students keep stuff on USB drives instead of on various Google services.
Re: Re: Re:4
You have missed the main reason for using Google services, and that is remote schooling, which became normal for some reason for a couple of years, and submission of homework. The idea of printing it out and handing it in died quite some time ago, and using thumb drives for that purpose is a bit problematic to manage, especially the returning of them to students.
Re: Re: Re:5
I didn’t miss it; I thought schools were mostly done with it. As for returning USB drives, I’m imagining the students would plug it in themselves at the computer lab, and submit it via a web form or something. (Yeah, they could submit under a false name, or maybe hand in a friend’s assignment or upload a gross image, but such things happened with paper too.)
But that was kind of my point: did it die (as opposed to taking a temporary hiatus for COVID) for a good reason, or just because it was seen as outdated? In my day, I was kind of the weird one for using typewriters and computers, whereas most kids were hand-writing the assignments. I hear some schools are trying to bring that back.
Schools have been bumbling around with computers for decades (Apple II, Unisys ICON, OLPC, etc.). Apart from programming classes and remote learning, most of this seems like a solution searching for a problem. The lunchtime deathmatches were fun, anyway (and, strangely, educational for at least one student who went from level design to CAD and 3D modelling).
The high school that my boys attended used one password for everyone with a surname of A-M and a different one for everyone with a surname of N-Z. All of the students knew this.
Thankfully they graduated in 2021 and no longer have to deal with this. The school also had a security breach (shocking, I know) last spring.
Sounds like the foreseeable and inevitable result of being cheap with important things. School IT is never good. It ranges from mediocre to awful. Our society and culture have spent the last half century fighting, kicking and screaming, against paying the costs necessary to maintain civilization.
And the child logs into their (compromised) e-mail account to get the new password… how?
Also, are there terms of service to be agreed to here, and what happens if the parents haven’t taken enough law-school classes to understand them?
Note to Manning Peterson: get a lawyer, since you admitted accessing others’ accounts. Also, get on TD and read up on the history of businesses and governments coming for those who demonstrate their security failures.
Re:
Was going to point this out.
In the UK this is a crime under the Computer Misuse Act 1990, I believe the US has it covered under the The Computer Fraud and Abuse Act of 1986.
I’m trying to figure out if this is more or less stupid than the local elementary school that set the students’ passwords to their usernames. And didn’t let them change it until they were out of elementary…
because my brain isn’t handling the heat very well…
hunter2
Does that include admin accounts?
When I was in high school, they did something similar, and reset all of the accounts to the same password, with the userid being the student ID number. So you could just type in random numbers of that length and see if you could log in with the common password.
One of the people in my class tried that for awhile until they realized that the latest account they’d pulled up was an admin account, and they now had access to do all sorts of neat stuff.
I wonder if the same thing could have happened here.
Re:
They apparently sent the password to 3,000 students and they would be able to access each others’ accounts until such time as they changed it.
I’m not sure if any of them were accidentally granted elevated rights, but it’s almost guaranteed that some would have had some “fun” with someone else’s account
SEO consultant in USA
An SEO consultant in the USA is a professional who specializes in providing expert guidance and advice on search engine optimization strategies tailored to the American market. These consultants possess in-depth knowledge of the ever-evolving SEO landscape, including on-page and off-page optimization techniques, keyword research, content optimization, website audits, and competitor analysis. By partnering with an SEO consultant in the USA, businesses can benefit from their expertise and experience, gaining valuable insights and customized strategies to improve their online visibility, organic search rankings, and overall digital marketing performance.