K12 classrooms – and most families – have bad password practices. Passwords for Google Classroom accounts are often derived from usernames. That password is then reused when signing up for other online accounts. This violates three of the most important rules of protecting online privacy and identity. From Krebs on Security:
- Do not use your network username as your password.
- Avoid using the same password at multiple Web sites.
- Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.
xkcd explains the dangers of password reuse.
“Password reuse is what really kills you,” says Diana Smetters, a software engineer at Google who works on authentication systems. “There is a very efficient economy for exchanging that information.”
Source: Kill the Password: A String of Characters Won’t Protect You | WIRED
According to security experts, today the industry is dealing with a password reuse crisis. In the past few weeks, account breaches have been reported by LinkedIn, Tumblr, VK.com, Fling and MySpace – bringing the total number of compromised accounts to more than 642 million.
“We know that attackers will go for the weakest link and that is any user who reuses their passwords. It’s a major problem,”
Source: No Simple Fix for Password Reuse
At most schools, student identities are protected by weak passwords trivially derived from usernames and reused everywhere. Once someone gets ahold of your email password, they can reset your passwords elsewhere and pwn your life. When you reuse passwords, a data leak on a forgotten site can be escalated into takeover of your email and your identity.
What to do? The Smart Girl’s Guide to Online Privacy by @violetblue is a great primer on privacy and passwords. Chapter 10, “I Hate Passwords”, is eleven pages of good advice on creating and managing passwords, from which I crib below.
TLDR: Use a password manager and never reuse passwords.
If you decide to use a password manager, these great little apps can generate really strong passwords for you whenever you need one. You can also use password generators on trusted websites, such as LastPass or Norton.
Follow these rules and you’ll get better passwords:
- Make strong passwords that are at least 12 to 16 characters long.
- Don’t use pet or family names.
- Don’t use your address, Social Security number, birth date, or other personal information.
- Never recycle or reuse a password— not even once.
- Don’t let Chrome, Firefox, Safari, or any other browser save passwords for you.
- Use password phrases (usually six or more words long) for the best security.
- Include capital letters, numbers, and symbols if the app or site allows it.
Source: Smart Girl’s Guide to Online Privacy
But the best passwords are those generated by password managers.
Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them.
Source: Choosing Secure Passwords – Schneier on Security
Password managers like LastPass and 1Password save all of your passwords safely in a vault and encrypt everything. That way, you have them all in one place, no one can accidentally discover them, and you can make really complicated passwords, because the manager will keep track of them (and remember them) for you. You use one master password to unlock the password manager, and it saves and encrypts your passwords either locally or on its site. Most of these applications also have crazy-awesome password creators that you can and should use to generate super-strong new passwords with one click— and the password app automatically saves them for you.
Source: Smart Girl’s Guide to Online Privacy
I use 1Password to generate passwords. You can adjust the password recipe to accommodate any site’s password rules. Here’s the recipe I usually use.
That’s 50 characters of random, which makes for a good password. Most sites will accept 50 characters, but there are still plenty out there that balk at passwords over 8, 10, 15, or 20 characters in length. Banks, unfortunately, are known for their short password limitations (and crufty password advice). I start at 50 and work my way down. “Complexity is nice, but length is key.” Go for long passwords.
Update: The NIST recently announced new password rules that recommend sites allow a maximum length of at least 64 characters. 1Password updated its password generator to support a 64 character maximum.
When choosing a password manager, get one that runs on all of the devices you use. I’ve used 1Password for years. It offers iOS, Android, Windows, and Mac clients. It can sync your passwords between devices via iCloud or Dropbox. If you need to share passwords among family or team members, check out 1Password for Families or 1Password for Teams. My family uses 1Password for Families. In addition to personal vaults for everyone, we have a vault shared amongst the whole family for streaming video and audio accounts. My wife and I have a shared vault for bank, medical, insurance, and other household accounts. Having log in information for all joint accounts in a shared vault improves our family’s bus factor.
How passwords are stolen
Massive data breaches are not the only threat. Be wary of shoulder surfing and social engineering.
There are simpler ways to get your password though. One is shoulder surfing, where someone watches over your shoulder as you enter your password on your computer or phone while you’re logging in on the bus or plane or at a café. Social engineering is another way that you can have your passwords stolen. Basically, social engineering involves attempts to con you into telling someone your passwords. The person conning you might call you and pretend that they’re tech support for Gmail, telling you that you have email stuck somewhere and they need your password to log in and free it up. They might know the names of your friends or colleagues, as well as their phone numbers and email addresses— all of which they can find online via social media sites like LinkedIn, Facebook, Twitter, and people-search sites. Malicious people can also use information they find about you on Facebook and other sites to correctly guess the answers to password-reset questions.
Here’s one thing to know: if a teacher, boss, TSA agent, police officer, or anyone else tells you that you have to give them your password, you shouldn’t do it unless you know it’s against the law not to.
If you share an account with friends or family, do it the smart way. Don’t use a password that you use anywhere else. Treat the shared account like any account that can get attacked, but know that its security is weaker than that of an account that you have total control over because it has a shared password. Don’t connect that shared account to any other accounts; otherwise an attacker could use that connection to get into those accounts.
When sharing passwords with family, consider using a password manager that accommodates shared vaults.
Surveillance, privacy and trust
“In the educational domain we see a lot of normalisation of designing computers so that their users can’t override them. For example, school supplied laptops can be designed so that educators can monitor what their users are doing. If a school board loses control of their own security or they have bad employees, there’s nothing students can do. They are completely helpless because their machines are designed to prevent them from doing anything.”
“We have this path of surveillance that starts with prisoners, then mental patients, refugees, students, benefits claimants, blue collar workers and then white collar workers. That’s the migration path for surveillance and students are really low in the curve. People who work in education are very close to the front lines of the legitimisation of surveillance and designing computers to control their users rather than being controlled by users,” Doctorow says.
Surveillance in education can also interfere with the educational process, he says, because “nobody wants to be seen fumbling. When you are still learning, you don’t want to feel like you are being watched and judged.” Doctorow adds that, due to their lack of power, students have limited options to take control of their learning and the digital tools they use.
“I talk to students, often younger students, who say they don’t worry about surveillance because they know how to block it out; they use a proxy or something else. But, first of all, those students can get in a lot of trouble for it. In America, they could actually be committing a crime and they could go to jail for it. It also doesn’t solve the overall problem; it only solves it for them. So I’ve often said to students that rather than breaking the rules, they document the absurdity of the rules and demand that adults account for it.”
“The censorware companies mostly work in the Middle East in repressive regimes who buy it on a mass scale to try to control the flow of information in their countries. Students should contact journalists, the school board and the parents’ association and ask why they are giving money that was meant to be for their education to war criminals who spy on us.”
Source: “Peak indifference”: Cory Doctorow on surveillance in education | OEB Newsportal