Oh my God I thought I was going to be lynched!

[reggiep]

It's the end of my second week in a new school.
My post is a new post as network manager.
I have been going through the system over this time and noticed that most of the teaching staff (well over half) still had their default password as their password.
So in the staff briefing this morning I mentioned this and told them that I would be doing a forced password change for them all on Monday.
Well the dagger looks I got and the sudden intake of breath from the staff was amazing.
It's as if I said I was personally going to go and impregnating every one of their daughters!
At the end of the briefing a scary PE teacher came over and was asking me how she was going to do her job if her password was changing all the time, which is not what I had told them.

Anyway I'm looking forward to Monday now!
And I though the staff so far had like d me.

[contink]

I'd seriously think about doing a thorough backup of everything in those staff accounts... then moving them to a new folder and leave a nice little "Readme.txt" file for them

Then, in the readme file you write a story about a teacher who lost all their work because a child testing defaults, found the account, copied it all to their memory stick and started sharing it all round school... complete with private information, teachers addresses, reports, etc... Oh and then they deleted loads of it... edited more so that it contained profanity and just to finish off sent a foul mouthed diatribe to the headteacher saying they hated the HT, the job and they were quitting, or worse...

Then at the end...

Password security 101 Exam:

Does anyone still have any problems, questions or issues with their password being changed?

This was just a drill, next time you may not be so lucky

Obviously you might want to check with Senior management first though

[tmcd35]

Lol,

We were asked to implement a forced password change policy every about 6 weeks from up high. This did not go down well with the staff. When asked I usually mumble something about security and kids learning teachers passwords.

It's been well over a year now and to be honest, they've pretty much got used to. Still go the odd complaint but I just shrug my shoulders - they new It's not going to be changed!

[e_g_r]

Were about to go down this route as staff have had the same lame passwords since the begining of time.

You get the usual whing like 'how can i remember a new password' and 'i use the same one here and at home and on the internet (FFS)

With a VLE/MLE going to come online a am pressing the SMT to allow only secure passwords with alpha/numeric and special characters.

If there is resistance i plan to hold a talk where i will show how easy it is for a pupil to 'hack' lame passwords. I will target a staff member with said lame password and ask some general questions such as:

Do you have any children
Boy or girl
whats there name

BINGO i've now got your password

[reggiep]

I implemented secure passwords at my last school.
I went through about 2 weeks of abuse and then everyone realised it wasn't so bad.
The only downside was I had to set the policy for the students as well as I couldn't find how to apply it to just groups.

[Lee_K_81]

Were about to go down this route as staff have had the same lame passwords since the begining of time.

You get the usual whing like 'how can i remember a new password' and 'i use the same one here and at home and on the internet (FFS)

With a VLE/MLE going to come online a am pressing the SMT to allow only secure passwords with alpha/numeric and special characters.

If there is resistance i plan to hold a talk where i will show how easy it is for a pupil to 'hack' lame passwords. I will target a staff member with said lame password and ask some general questions such as:

Do you have any children
Boy or girl
whats there name

BINGO i've now got your password

Yes easiest thing is to get some kids to do a social studies experiment, names of partners, kids, pets, bet half would give mothers maiden name.
Even forcing staff to change the password isnt that secure. The amount of people who's password is child's name followed by a number that increments with each change is crazy, but it passes all the tests, i.e. James1 >= 6 chars, including one capital and 1 non alpha char.

[iatkinson]

I implemented secure passwords at my last school.
I went through about 2 weeks of abuse and then everyone realised it wasn't so bad.
The only downside was I had to set the policy for the students as well as I couldn't find how to apply it to just groups.

We had split domains to implement different password policies though under server 2008 you can implement different policies within one domain.

[K.C.Leblanc]

I did once encounder a student stupid enough to sit at a computer with a teacher's logon name entered and then ask what said teacher's wife's names was.

At the same school but a few years later there was know minimum password age, so although teachers couldn't use there last 6 passwords some would just change them 6 times so they could have the old one.

[srochford]

At the same school but a few years later there was know minimum password age, so although teachers couldn't use there last 6 passwords some would just change them 6 times so they could have the old one.

That's not necessarily a bad thing, provided that the password they keep is a good one (so not spouse's name etc!)

We're about to enforce strong passwords for staff; what we're actually recommending is that they use phrases rather than words (difficult to remember KJ*196jgv; much easier to remember a phrase with letters, numbers and punctuation) but I know it will floor some people.

If you are going to force password changes, it's better to do it in small groups - if everyone comes in on Monday, changes their password and forgets it within the hour then you will have a nightmare trying to deal with it all and you will get blamed (because you did force simultaneous changes instead of 10 on Monday, 10 on Tuesday etc!)

[TechSupp]

We had a similar thing, staff new to networks, set them up with default passwords which they wanted... now when I started doing audits of printing, it was a case of I didn't print all that, someone must be logging on as me with my password! Now they all wanted to change their passwords!!! Still hasn't changed the main culprits for printing thought, just makes it more definate on who prints what with my auditing :-)
Another thing is they log on a PC, do a quick job then walk away leaving it logged on and apparently its the systems fault that someone else jumps on a logged in PC to run off a quich print job! Not quite figured out their logic behind that one yet?

[TimH]

I implemented secure passwords at my last school.
I went through about 2 weeks of abuse and then everyone realised it wasn't so bad.
The only downside was I had to set the policy for the students as well as I couldn't find how to apply it to just groups.

We have student passwords set never to expire, staff were controlled by the timeout mechanism in the domain. This proved awkward, so now we have a script run on schedule at 03:00 on the first day of each term (or was it half term ?) that expires the staff passwords.

[reggiep]

We have student passwords set never to expire, staff were controlled by the timeout mechanism in the domain. This proved awkward, so now we have a script run on schedule at 03:00 on the first day of each term (or was it half term ?) that expires the staff passwords.

That sounds interesting. You wouldn't want to share that script would you?

[elsiegee40]

I force staff password changes at the start of the second week of each term (the first week is chaotic enough as it is)

The staff moan, but they're used to it now.

[acrobson]

We force a change password for all staff every 30 days, each password must be at least 10 characters long, locks out after 4 worng attempts, cannot be any of the last 24 they have ever userd and must be aphanumberic.

A bit over the top, but, the restore requests have gone down from approx 50 a week to 1-2, if that.

[sdc]

We have student passwords set never to expire, staff were controlled by the timeout mechanism in the domain. This proved awkward, so now we have a script run on schedule at 03:00 on the first day of each term (or was it half term ?) that expires the staff passwords.

I would also be most grateful if you were willing to share the script!