May is Authentication Month!
Let’s take a look at several high-level topics on password policy for your School District. We will cover why password policy is one of the foundational pieces for your overall security posture, and the hurdles that come with student passwords and possible solutions. You can expect to learn broad, non-vendor specific ways of implementing a good password policy for directory and cloud services such as Active Directory and Google Workspace for Education, as well as best practices for passwords to help you get started.
An Important First Line of Defense
Why should password policies be a security focus for your district? According to the 2020 Data Breach Investigations Report, 81% of hacking-related breaches were caused by compromised passwords. While it may not be in the scope of your password policy to maintain and control all of the passwords your users need to authenticate for the tools and services the district utilizes, you can help mitigate this risk by implementing a strong password policy for the tools and services that you do manage. With all of the cloud services and the introduction of SSO into schools, it makes strong passwords more important now that various information is stored outside of the district’s network. Additionally, 3rd-party security is a large K-12 problem that deserves its own article based on current nationwide trends in cybersecurity threats.
In information security, there is a security model called The CIA Triad. CIA stands for Confidentiality, Integrity, and Availability. This model helps present different aspects of technical controls that could touch one or more of the triad. While there are other extremely important factors of security, when it comes to information security, The CIA Triad model is foundational. Password policies are one of the key parts of information security that applies to each part of this model. The passwords need to be kept a secret (confidentiality). They need to stay the way that they have been set, and can’t be allowed to change outside of the policy (integrity). Finally, the authentication process needs to be made available so that your users can authenticate when they need to (availability). Password policy needs to follow these rules so that your district can be guided to create, maintain, and manage secure passwords to prevent unauthorized access to your systems and information.
Tips for Student Specific Passwords
Now, let us take a moment to look at student passwords. Student passwords are a security problem unique to K-12 education. In this environment, you need to have a solution that is easy for the lower grade levels to remember, but also secure enough that someone isn’t able to figure out the password of any student. One trend in practice is to use a password based on the students’ birthdays and initials. We recommend that K-2nd grade students have a password that is unique to them, but follows a pattern such as initials + student ID. Students in 3rd grade and above should be able to be within your password policy and create passwords that fit your District’s password strength rules. As expected of District staff, these passwords should never be shared with anyone in the District or Managed by the District. This is their password. There is no reason to know them or have them written down anywhere, or be viewable. As with any user-created password, these student’s passwords should not be kept in a spreadsheet or stored in a location for staff to access. These are their passwords that could be used for sites and services outside of the district’s scope. The district should have the ability to reset any password that a student may have forgotten.
Create a Customized District Policy
For the actual policy, we recommend starting simple and continually developing your policy’s maturity through the next few years. To get started, a basic policy only needs to contain a couple of parts:
- Password Creation
- Password Protection
Use this Password Policy template developed by Forward Edge when customizing any policy to the needs of your district. Make sure you understand the different levels of acceptable risks based on the security decisions you outline. Understanding those acceptable risks go a long way, such as the difference between having a 3-minute re-authentication policy and a 60-minute re-authentication policy. Be sure you understand what is acceptable or not for your district.
Implementation, Enforcement and Training for All
Now that you have written your policy, let’s put it into practice. Depending on your environment this could be done in a number of ways. We recommend that you wait for school break, like spring or summer. You should have the password requirements set to a certain standard across all available systems and tools. The district should coordinate the new policy rollout to those tools at the same time.
With implementation comes awareness and training. There should be clear communication to all users (including students) as to what is expected of them. There should also be material distributed to cover your district’s best practices.
Best Practices to Minimize Breaches
What do we recommend for good, strong passwords and authentication? In general, we believe the NIST publication 800-63b maintains the overall best practice for passwords (called secrets in the publication), but we will touch on the more basic ones here. However, we encourage you to read the publication because it covers aspects of encryption and salting along with more technical items that provide best practices for a wide range of authentication techniques.
- Passwords should err on the side of length rather than complexity. As the publication states, research has shown that password, Password, and P@ssw0rd can all be cracked in the same approximate length of time while passwords consisting of longer lengths, on the other hand, take a much longer time to crack. We recommend a minimum of 10 characters be used for passwords.
- Periodic Password Resets
- It has been standard practice in the past to require users to reset their passwords over a period of time such as every 3 months. Research has shown (as reflected in NIST publication) that this leads to bad practices such as your users writing down passwords or even increasing the required password resets that have to be done by your IT staff. We recommend eliminating this by keeping the periodic password reset option off on your systems. Or at least keeping the required password resets down to one per year. Required Password resets mitigates little when compared to the bad practices it could open up.
- Password Attempts
- It is recommended that you limit the number of attempts for password entries to all possible systems. We understand this could increase the tickets you see in your district but it can be mitigated by allowing your users to choose to see the passwords as they type when they are alone to help prevent typos.
- Multi-Factor Authentication
- MFA is always the best practice. It should be implemented in all possible locations. We have seen this cause some trouble with our customers and their staff, but there are several ways to implement MFA so that it can still be used on any device. One example of this would be personal devices for school use. At the very least we recommend encouraging your staff to use personally managed MFA solutions outside of the district’s control. Microsoft states that MFA can block over 99.9% of account compromise attacks!
Use these policy suggestions and information to make your district more secure. Keep in mind, there is a lot more to password security than what has been covered here: we wanted to keep this brief and digestible. There are encryptions and hashes to consider. Additionally, there are secure ways of transmitting the authentication process from users to servers, the secure storage of passwords, allowing users to have password ‘hints’ and best practices for that, allowing users to paste in passwords, and so on. Our goal is to give school districts a K12 specific password policy guideline, so that they can start to develop better practices and implement them quickly. If there’s one thing you take away from this, it should be the importance of securing as much as you can, as quickly as you can, and then providing the resources to mature that control over time.