K12 classrooms-and most families-have bad password practices. Passwords for Google Classroom accounts are often derived from usernames. That password is then reused when signing up for other online accounts. This violates three of the most important rules of protecting online privacy and identity. From Krebs on Security:
- Do not use your network username as your password.
- Avoid using the same password at multiple Web sites.
- Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.
xkcd explains the dangers of password reuse.
“Password reuse is what really kills you,” says Diana Smetters, a software engineer at Google who works on authentication systems. “There is a very efficient economy for exchanging that information.”
According to security experts, today the industry is dealing with a password reuse crisis. In the past few weeks, account breaches have been reported by LinkedIn, Tumblr, VK.com, Fling and MySpace – bringing the total number of compromised accounts to more than 642 million.
“We know that attackers will go for the weakest link and that is any user who reuses their passwords. It’s a major problem,”
Source: No Simple Fix for Password Reuse
At most schools, student identities are protected by weak passwords trivially derived from usernames and reused everywhere. Once someone gets ahold of your email password, they can reset your passwords elsewhere and pwn your life. When you reuse passwords, a data leak on a forgotten site can be escalated into takeover of your email and your identity.
What to do? The Smart Girl’s Guide to Online Privacy by @violetblue is a great primer on privacy and passwords. Chapter 10, “I Hate Passwords”, is eleven pages of good advice on creating and managing passwords–from which I crib below.
TLDR: Use a password manager and never reuse passwords.
If you decide to use a password manager, these great little apps can generate really strong passwords for you whenever you need one. You can also use password generators on trusted websites, such as LastPass or Norton.
Follow these rules and you’ll get better passwords:
- Make strong passwords that are at least 12 to 16 characters long.
- Don’t use pet or family names.
- Don’t use your address, Social Security number, birth date, or other personal information.
- Never recycle or reuse a password— not even once.
- Don’t let Chrome, Firefox, Safari, or any other browser save passwords for you.
- Use password phrases (usually six or more words long) for the best security.
- Include capital letters, numbers, and symbols if the app or site allows it.
But the best passwords are those generated by password managers.
Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them.
Password managers like LastPass and 1Password save all of your passwords safely in a vault and encrypt everything. That way, you have them all in one place, no one can accidentally discover them, and you can make really complicated passwords, because the manager will keep track of them (and remember them) for you. You use one master password to unlock the password manager, and it saves and encrypts your passwords either locally or on its site. Most of these applications also have crazy-awesome password creators that you can and should use to generate super-strong new passwords with one click— and the password app automatically saves them for you.
I use 1Password to generate passwords. You can adjust the password recipe to accommodate any site’s password rules. Here’s the recipe I usually use.
That’s 50 characters of random, which makes for a good password. Most sites will accept 50 characters, but there are still plenty out there that balk at passwords over 8, 10, 15, or 20 characters in length. Banks, unfortunately, are known for their short password limitations (and crufty password advice). I start at 50 and work my way down. “Complexity is nice, but length is key.” Go for long passwords.
Update: The NIST recently announced new password rules that recommend sites allow a maximum length of at least 64 characters. 1Password updated its password generator to support a 64 character maximum.
When choosing a password manager, get one that runs on all of the devices you use. I’ve used 1Password for years. It offers iOS, Android, Windows, and Mac clients. It can sync your passwords between devices via iCloud or Dropbox. If you need to share passwords among family or team members, check out 1Password for Families or 1Password for Teams. My family uses 1Password for Families. In addition to personal vaults for everyone, we have a vault shared amongst the whole family for streaming video and audio accounts. My wife and I have a shared vault for bank, medical, insurance, and other household accounts. Having log in information for all joint accounts in a shared vault improves our family’s bus factor.
How passwords are stolen
There are simpler ways to get your password though. One is shoulder surfing, where someone watches over your shoulder as you enter your password on your computer or phone while you’re logging in on the bus or plane or at a café. Social engineering is another way that you can have your passwords stolen. Basically, social engineering involves attempts to con you into telling someone your passwords. The person conning you might call you and pretend that they’re tech support for Gmail, telling you that you have email stuck somewhere and they need your password to log in and free it up. They might know the names of your friends or colleagues, as well as their phone numbers and email addresses— all of which they can find online via social media sites like LinkedIn, Facebook, Twitter, and people-search sites. Malicious people can also use information they find about you on Facebook and other sites to correctly guess the answers to password-reset questions.
Be realistic about your threat model. State-sponsored surveillance and hacking aren’t in the thread model of most families. Protect yourself from the much more real threat of phishing by using a password manager, unique passwords, and two factor authentication.
Here’s one thing to know: if a teacher, boss, TSA agent, police officer, or anyone else tells you that you have to give them your password, you shouldn’t do it unless you know it’s against the law not to.
If you share an account with friends or family, do it the smart way. Don’t use a password that you use anywhere else. Treat the shared account like any account that can get attacked, but know that its security is weaker than that of an account that you have total control over because it has a shared password. Don’t connect that shared account to any other accounts; otherwise an attacker could use that connection to get into those accounts.
When sharing passwords with family, consider using a password manager that accommodates shared vaults. Though I haven’t used them, there are also tools for sharing streaming video accounts.
Surveillance, privacy, data ethics, and trust
“In the educational domain we see a lot of normalisation of designing computers so that their users can’t override them. For example, school supplied laptops can be designed so that educators can monitor what their users are doing. If a school board loses control of their own security or they have bad employees, there’s nothing students can do. They are completely helpless because their machines are designed to prevent them from doing anything.”
“We have this path of surveillance that starts with prisoners, then mental patients, refugees, students, benefits claimants, blue collar workers and then white collar workers. That’s the migration path for surveillance and students are really low in the curve. People who work in education are very close to the front lines of the legitimisation of surveillance and designing computers to control their users rather than being controlled by users,” Doctorow says.
Surveillance in education can also interfere with the educational process, he says, because “nobody wants to be seen fumbling. When you are still learning, you don’t want to feel like you are being watched and judged.” Doctorow adds that, due to their lack of power, students have limited options to take control of their learning and the digital tools they use.
“I talk to students, often younger students, who say they don’t worry about surveillance because they know how to block it out; they use a proxy or something else. But, first of all, those students can get in a lot of trouble for it. In America, they could actually be committing a crime and they could go to jail for it. It also doesn’t solve the overall problem; it only solves it for them. So I’ve often said to students that rather than breaking the rules, they document the absurdity of the rules and demand that adults account for it.”
“The censorware companies mostly work in the Middle East in repressive regimes who buy it on a mass scale to try to control the flow of information in their countries. Students should contact journalists, the school board and the parents’ association and ask why they are giving money that was meant to be for their education to war criminals who spy on us.”
Handing over data, often quite thoughtlessly, has become par for the course – in education and in society more generally. Although privacy experts have urged parents and educators to be more proactive about protecting children’s data and privacy) – while using Pokémon Go and other data-hungry apps – we now live in a culture of surveillance, where data collection and data extraction have become normalized.
Surveillance starts early. “Quantified babies” and “Surveillance Barbie” and such. Rather than actively opting children out of a world of tracking and marketing, parents increasingly opt them in – almost always without their children’s consent.
Many of us have become quite lackadaisical about the data we share. “It doesn’t matter.” “I have nothing to hide.” Schools, operating under longstanding mandates to track and to measure as much as possible, have been more than willing to expand the amount and types of data they’re collecting on students. Fears of FERPA are frequently stoked to stymy certain projects – perhaps unnecessarily in some cases – but schools have not always been cautious about who has access to student data.
Has our confidence that we or our students have “nothing to hide” changed now under President-Elect Trump?
Surveilling students, so we’re told by this sort of ed-tech futurist PR, will help instructors “monitor learning.” It will facilitate feedback. It will improve student health. It will keep students on track for graduation. It will keep schools safe from violence. It will be able to ascertain which student did what during “group work.” It will identify students who are potential political extremists. It will identify students who are suicidal. It will offer researchers a giant trove of data to study. It will “personalize education.” (More on this in the next article in this series.) Tracking biometrics and keystrokes will make education technology more secure. (Spoiler alert: this is simply not true.)
“Big Brother is coming to universities,” The Guardian pronounced in January, although arguably this culture of surveillance has been a part of education for quite some time. But undoubtedly new digital technologies exacerbate this. The monitoring of students is undertaken to identify “problem behaviors” and in turn to provide a revenue source for companies willing to monetize the data they collect about all sorts of student behaviors. “Enabled by Schools, Students Are Under Constant Surveillance by Marketers,” as the National Education Policy Center cautioned in May.
Under surveillance by marketers. Under surveillance by companies. Under surveillance by schools. Under surveillance by police. Under surveillance by governments. Under surveillance by gadgets. Under surveillance when they use school software. Under surveillance when they use social media. And again, it’s all justified with a narrative about “success” and “safety.”
- Communication is oxygen. Build a district wide collaboration infrastructure and an open by default culture.
- Smart Girl’s Guide to Online Privacy on Tumblr
- Smart Girl’s Guide to Privacy offers practical solutions for privacy blues
- Surveillance Self-Defense: Tips, Tools and How-tos for Safer Online Communications
- Choosing Secure Passwords – Schneier on Security
- Exploring the Market for Stolen Passwords — Krebs on Security
- Top Ed-Tech Trends of 2016: Education Technology and Data Insecurity