Nov 29 2021

Protect Your Network Against Bad Password Habits

How K–12 IT directors can counteract poor security decisions made by educators and students.

Cybersecurity solutions have long tried to account for human error. Districts may invest time and money into training staff and students on best practices for keeping their networks secure, including everything from recognizing phishing attempts to password hygiene. But new data shows that these efforts may be ignored.

Research conducted by security company My1Login found that more than half of employees admit to not using a strong password, despite 97 percent understanding what a good password should include. The education sector had the highest number of respondents with poor password hygiene: 91 percent said they reused passwords, and 75 percent used personal passwords for business applications.

Click the banner below to access customized content and exclusive articles.

Security breaches resulting from poor password hygiene can be devastating for a business, but in a K–12 setting breaches can have other negative implications, says Joel Snyder, a senior IT consultant with Opus One.

“In a school setting, you’re not just worried about some hacker on the internet, you’re worried about students creating mischief, and not understanding what they’re doing,” says Snyder. “It’s a difficult environment, where misauthentication or misauthorization can have a lot of repercussions, not just for whomever is being impersonated, but also for the student who might be impersonating them.”

Here’s what IT leaders in K–12 schools can do to counteract poor password decisions and help keep their networks secure.

Multifactor Authentication Is a Must

Multifactor authentication, a security technology that requires multiple methods of verifying a user’s identity, is a requirement for K–12 networks, says Snyder.

“MFA needs to be your go-to technology because it cuts your risk so tremendously. It takes an enormous window of opportunity and makes it much, much smaller,” he says. “That’s why it’s worth spending money on, and it’s worth getting outside help with. It’s worth doing whatever it takes to get MFA.”


The percentage of employees surveyed who admitted to not using a strong password

Source: My1Login, “Why do leaders need to take the responsibility of corporate passwords away from employees?” Aug. 12, 2021

Most MFA systems don’t create a heavy burden for students or administrators, Snyder says, because they allow for browser cookie storage. This means that once someone authenticates in that browser, the information is stored for 30 days, and the user won’t be asked to re-authenticate every time they log in using their laptop, tablet or phone.

Even with MFA, Good Password Policies Are Still Important

But having MFA doesn’t mean that password hygiene is no longer important.

“You still have to impose a complexity or length requirement, and you need to remind people that they should not use that password anywhere else,” Snyder says.

Additionally, IT teams should avoid searching the web for best practices in password complexity, because a lot of information is no longer current. “The problem with Google is that it never forgets anything,” Snyder says. “So, you put up a blog entry in 2004, and Google finds it and elevates it. But the security community has moved on in how we think about passwords, in terms of complexity and how often they should be changed.”

DISCOVER: These four steps will help users create a rock-solid password.

You also want to make sure that the password policies you put in place are appropriate for your community. “You have to put yourself in the mindset of your customers when it comes to defining password rules, and you have to set these at an appropriate level for the audience that you’re working with,” says Snyder.

For schools, that means password rules need to take into account that many students are using phones or tablets, rather than laptops. Schools should also consider how they will convey password rules and other cybersecurity best practices to younger students.

Using MFA and taking steps to ensure password policies are up to date and appropriate for school settings can help K–12 IT administrators minimize the risk of security breaches.

Ugur Karakoc/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT