Security breaches resulting from poor password hygiene can be devastating for a business, but in a K–12 setting breaches can have other negative implications, says Joel Snyder, a senior IT consultant with Opus One.
“In a school setting, you’re not just worried about some hacker on the internet, you’re worried about students creating mischief, and not understanding what they’re doing,” says Snyder. “It’s a difficult environment, where misauthentication or misauthorization can have a lot of repercussions, not just for whomever is being impersonated, but also for the student who might be impersonating them.”
Here’s what IT leaders in K–12 schools can do to counteract poor password decisions and help keep their networks secure.
Multifactor Authentication Is a Must
Multifactor authentication, a security technology that requires multiple methods of verifying a user’s identity, is a requirement for K–12 networks, says Snyder.
“MFA needs to be your go-to technology because it cuts your risk so tremendously. It takes an enormous window of opportunity and makes it much, much smaller,” he says. “That’s why it’s worth spending money on, and it’s worth getting outside help with. It’s worth doing whatever it takes to get MFA.”
The percentage of employees surveyed who admitted to not using a strong password
Source: My1Login, “Why do leaders need to take the responsibility of corporate passwords away from employees?” Aug. 12, 2021
Most MFA systems don’t create a heavy burden for students or administrators, Snyder says, because they allow for browser cookie storage. This means that once someone authenticates in that browser, the information is stored for 30 days, and the user won’t be asked to re-authenticate every time they log in using their laptop, tablet or phone.
Even with MFA, Good Password Policies Are Still Important
But having MFA doesn’t mean that password hygiene is no longer important.
“You still have to impose a complexity or length requirement, and you need to remind people that they should not use that password anywhere else,” Snyder says.
Additionally, IT teams should avoid searching the web for best practices in password complexity, because a lot of information is no longer current. “The problem with Google is that it never forgets anything,” Snyder says. “So, you put up a blog entry in 2004, and Google finds it and elevates it. But the security community has moved on in how we think about passwords, in terms of complexity and how often they should be changed.”
DISCOVER: These four steps will help users create a rock-solid password.
You also want to make sure that the password policies you put in place are appropriate for your community. “You have to put yourself in the mindset of your customers when it comes to defining password rules, and you have to set these at an appropriate level for the audience that you’re working with,” says Snyder.
For schools, that means password rules need to take into account that many students are using phones or tablets, rather than laptops. Schools should also consider how they will convey password rules and other cybersecurity best practices to younger students.
Using MFA and taking steps to ensure password policies are up to date and appropriate for school settings can help K–12 IT administrators minimize the risk of security breaches.