Last night, I had this TED talk shared with me with the message “This will put a lot of you to sleep.”
I had to view it right away. In actuality, I watched it a few times. I think it’s a great video to watch “What’s wrong with your pa$$word“. You’ll probably learn something new each time you watch it.
I had a bunch of takeaways from the video.
- impressed that the IT Department at CMU wouldn’t give password databases away even for research;
- learned how you might hack a hash code;
- suggested rules for password security;
- common passwords;
- National Institute of Standards and Technology;
- different ways to show strength of password;
- ideas about rules for changing passwords;
- recommendation of different password per system;
- and much more. You need to watch the talk.
Now, the audience presumably was largely from Carnegie Mellon and her message would be directly applicable to them. Higher education and the general public have total control over passwords and privacy if they elect to use it. When you are registered, you get an account and you are then expected to manage it.
I actually rather enjoyed the talk.
But then I started to think about K-12. There’s lot of talk about students and privacy. But, what do we do about passwords? And, passwords on multiple accounts?
A typical scenario might be that student accounts are created with data extracted from the system Student Information System over the summer. It might be initially seeded with a password being the student birthday and the instruction given to change the password on first login. I remember a student told me once that this was a good reason not to skip the first day of school…
First point of failure. It’s the first day of school and you’re logging in for the first time. You haven’t had time to teach that important lesson about creating a strong password. But, you could do that later and then have a big change-a-thon. Now, it’s a good idea to change the password regularly or, perhaps, you have a system rule that forces it to happen.
Now, you log into the network. There’s one account needed. If it’s school equipment, you’re using a shared device. Let’s get onto the web and do some read/write web stuff. Well, that’s probably going to require creating another account somewhere. You’ll need a unique login and another unique and secure password. Repeat over and over during the school year. How many accounts would be created? How many passwords? What’s the chance of duplicate passwords? See where I’m headed?
In the real world, we probably do a good job of it. After all, we’re probably not using a community computer. We’re using our own. If you’re using the computer to its potential, you’re probably using the browser’s ability to remember your accounts. Or, you might be using a password manager like 1password or lastpass. While these are great tools for the home user, they’re not practical or even possible in a school setting.
What’s a student to do? After all, you don’t want the insecurity of writing the password on a sheet of paper?
In many cases, there are resources that help the cause. I’m a fan of Scrawlar and the way that accounts are handled. There are also web resources that don’t require an account at all. You can finish your work in a single sitting with a utility like Wordle.
Unfortunately, that doesn’t cover all of the online world that you might want to use. The same message that is in Ms. Cranor’s talk is applicable to everyone/anyone. In a BYOD world where every student has her/his own computer, it would be easier with a browser remembering passwords or the effective use of a password manager.
The reality is though, that we’re years away from that. The concept of a school provided shared, common device remains a reality. How do you handle student passwords in that scenario?