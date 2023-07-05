School Decides To Harden Security By Giving EVERYONE The Same Password
from the eyes-on-your-own-papers,-please dept
Cyber security. It’s complicated.
Protecting against threats means determining what your threat level is. Demanding everyone utilize a 53-character password with uppercase letters, numbers, and “special symbols” generally just makes people more irritated, rather than more secure.
Obviously, things must be secured. And passwords shouldn’t be so simple that anyone with an off-the-shelf HP desktop can hack them.
But people in charge of security need to weigh perceived threats against security responses. What they absolutely shouldn’t do is hammer the RESET button without considering the consequences of their actions.
When we first enter school, we’re constantly told to “be on our best behavior.” Apparently, that same warning doesn’t apply to educators. An Illinois school did one of the right things: it asked for an audit of its security. Its response, however, indicated no one at the school security level was on their best behavior. Here’s Lorenzo Franceschi-Biccierai with the details for TechCrunch:
Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, “due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account.”
“To fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today,” the school, which has around 3,000 students, wrote in an email dated June 22. “We strongly suggest that your child update this password to their own unique password as soon as possible.”
Yikes. I realize a blanket reset is far easier than simply revoking passwords to force end users to create a new one, but this is all sorts of wrong. Even if the school didn’t have a Plan B for this occurrence, it could not have done worse than informing everyone that everyone has the same password until each individual made the effort to change it.
And this was handled during the school off-season, which means the email was likely ignored or back-burnered by many recipients. But those who did read it — and any malcontents who might have realized what this reset meant — now had all the information they needed to access any account run by this school.
Fortunately, this doesn’t appear to have attracted the attention of malicious individuals. And the school has performed another reset that is far less stupid. The new reset involves sending every user their own “special password” via email, which should limit the collateral damage.
But before the damage was mitigated, not only could people access other people’s stuff, but they also had no functioning option to prevent others from accessing their stuff.
Manning Peterson, the mother of an OPRF student, replied that “this is terribly insecure and you have just invited every single students [sic] accounts to get hacked.”
Peterson said that after this email, she tried to reset her son’s password but it wasn’t possible.
“My son and I were able to log into several of his peers [sic] google accounts, which gave access to all emails, papers, class work—anything saved on google drive (docs sheets and slides),” Peterson said in an email to TechCrunch.
Manning Peterson isn’t being paid to ensure the school’s systems are secure. But that’s the service she ended up performing. Offloading the security responsibility on end users isn’t a great way to handle perceived security flaws. Giving every end user the power to see every other user’s information is a horrendous way to respond to a security audit.
Things may be (at least temporarily) under control at Oak Park and River Forest. But this catastrophe isn’t going to ensure any student, staff member, or parent that further fuck ups aren’t inevitable.
Filed Under: cybersecurity, illinois, oak park and river forest high school, passwords
Comments on “School Decides To Harden Security By Giving EVERYONE The Same Password”
FERPA
This is almost certainly a major violation of the Family Educational Rights and Privacy Act. I teach and cannot even tell Billy if Sally came to class, much less show them Billy’s work.
In a sane world[1]…. this would not happen. In a only slightly less sane world, this would immediately result in people being… no longer employed. Possibly several people.
This is the security laps is some what like (give me a moment to think of a terrible yet somewhat appropriate analogy) … like setting up a booth in front of a grade school that reads “Free loaded gun!”, and then handing them out to anyone who approach. Yes you have (somewhat) limited your audience to those likely to be found near a school… but that really has no bearing how how terribly dangerous and irresponsible it is.
Also wtf? how did they even do that? Does Google actually provide tooling (since they said gmail accounts I assume it’s google’s software, but I am not familiar enough with related offerings to know) to reset large batches of accounts to the same password?? If so, shame on Google. If not, how the hell did it happen? Anyhow with the technical know how to implement this should have the technical expertise to know this is a bat shit terrible idea.
[1] Why yes, I am aware I am not talking about this world.
High school: “Unfortunately that password is: 12345678910111213141516171819202122232425. We do apologize for any future inconvenience.
Re:
Naw, “for security reasons” they’d make it the first 25 primes.
Re: Re:
Not even close. The new “security approved” password is the final 25 digits of Pi.
Our administration all will be going on a cruise to celebrate the password rollout.
While we are out of town, please do not use the key under our front mat to enter our homes and rob us.
Security by Stupid.
Hell, why bother with a password at all?
Re:
That’s actually an excellent question. Why should schoolkids have to deal with passwords? Smartcards cost like a dollar each in bulk, and could easily be ordered as part of a student photo-ID card. It’d be more secure, and easier for the kids to deal with.
Re: Re:
And can they use those smart cards on their phones, tablets and home computers, so that they can submit their homework?
Re: Re: Re:
It seems like something that ought to be possible by now, but it’s taking excessively long to become mainstream (despite high-profile projects such as the USA’s Common Access Card). Most recent phones should be able to talk to NFC smartcards, in theory, and for kids without such devices, something else would have to be done. And doing the administration and tech support for that might be a pain in the ass, which I guess is how we ended up with passwords. Maybe one of those dongles that shows a 6-digit code would be easier.
But, as someone who went to school long ago, this focus on security seems a little weird. Our homework was “authenticated” simply by us printing or typing our name on it. I guess we could’ve written someone else’s name, but I’m not sure we even thought of it, and what would’ve been gained? What’s the intended benefit of all this technology anyway? Is it just so students don’t have to buy printers or paper? Why do high school students need to deal with school-related e-mails?
The high school that my boys attended used one password for everyone with a surname of A-M and a different one for everyone with a surname of N-Z. All of the students knew this.
Thankfully they graduated in 2021 and no longer have to deal with this. The school also had a security breach (shocking, I know) last spring.
Sounds like the foreseeable and inevitable result of being cheap with important things. School IT is never good. It ranges from mediocre to awful. Our society and culture have spent the last half century fighting, kicking and screaming, against paying the costs necessary to maintain civilization.
And the child logs into their (compromised) e-mail account to get the new password… how?
Also, are there terms of service to be agreed to here, and what happens if the parents haven’t taken enough law-school classes to understand them?
Note to Manning Peterson: get a lawyer, since you admitted accessing others’ accounts. Also, get on TD and read up on the history of businesses and governments coming for those who demonstrate their security failures.
I’m trying to figure out if this is more or less stupid than the local elementary school that set the students’ passwords to their usernames. And didn’t let them change it until they were out of elementary…