Password legislation/rulings

[tom_newton]

re: usernames... when I was at uni my department used to use a rotating letter to identify the year... example: I was ctztdn
ct (course) z (97 entry) tdn (my initials)
Had I been a year ealier, i'd have been ctytdn, then ctx..
This allows internal users a mnemonic for each year (and of course a non-changing username) IIRC there were only vwxyz in the rotation, as that more than covered a few years.

I think it is useful to use more than initials, however, as these soon get exhausted and you end up with "td2n" and things - yak.

[Jona]

example: I was ctztdn

Nottingham??

[OverWorked]

2. Interesting about usernames. We use 07BloggsJ as username and 07BloggsJ@schooletc.co.uk as their email (that way they only have to remember 1 username) - a guy from Shirelands (our VLE provider) was suggesting Becta has said 07BloggsJ was no longer acceptable as it identified the age of the student and their surname. What do others do for student email addresses?

I undertand that on email addresses it must not be possible to work out the name, age or gender of the child. I think I read that on becta somewhere.

We previously had no password policy, even blank were allowed. I was horrified to find that a teacher had a blank password - he just couldn't see the point of setting one. It hadn't occurred to me that staff might have no password.

When I did set a policy following this incident (and notified the whole school a month in advance) I got some nasty ear ache off the staff (none from the kids) about it for months afterwards.

I dug my heels in and now they just accept it and get on with it when they're forced to change them.

[dancingdruid]

I force passwords changes on all staff in the second week of every half term. It wasn't popular when I first did it, but they're used to it now.

I don't see the point of this. I guess many do what my mum used to do when she had enforced password changes at the bank. She had a list of them in the back of her diary and rotated through them. I know for a fact that our office manager has done this too for county payroll and admin systems.

Does this make for a more or less secure system?

[zag]

The most secure password systems are those which do not enforce changes

[witch]

Our teacher passwords are set once and then never changed. Most have the same password for logging on locally to their laptop as they do to the network. I have complained but no one cares about security so....
The children have similar to most of you: yearsurnamefirst3lettersoffirstname (07smithemm). They don't have email addresses here.

[tom_newton]

Nottingham??

Leeds Uni.

[tom_newton]

Changing passwords is only really useful for damage limitation once someone's got in. With the primary adversary being kids here, i really think you're going to notice almost immediately you are compromised... this would, in my eyes mean the benefits are outweighed by irritations (more forgetters, writing down, etc).

Worth communicating "what to do if you think someone has your password" though.

[Sylv3r]

typical username and password for a user

User Mark Bell

username 09MBELLI9F
password ntlznh4b

took about a month for kids and staff to get used to the new username password policy but its worked.

Its completely cut out the problems we had before i.e. kids loging on to other kids email accounts, loging on to network to delete work.

Do you have more instances of the students forgetting their passwords now though? Infact what about staff forgetting their passwords if they use a similar context?

Thanks

[Sylv3r]

Usernames to login are:

07AIBSMITH (Year of Entry + First 2 Letters of Form + Initial + Surname)

e-mail addresses are:

bsmith@stbedes......... (for staff and students but both on different domains, but im going to introduce a new e-mail system for students so we will probably create a new formula such as gs100@stbedes..... (initials + number starting at 100) for our student accounts. Printed out on sticky labels so they can stick into their planners at the start of the year - not with their passwords on of course.

[K.C.Leblanc]

Sorry to be so negative in my first post, the school were I used to work had some very vindictive staff. They also had no training policy so they had lots of staff who had 0 confidence in IT.

We had 90 day password changes with your last 6 passwords not permitted. We however had no restricton on how often you could change your password. Net result was some teachers when asked to change their password would then change it 6 times so they could change it back to te one they had before.

[Grommit]

typical username and password for a user

User Mark Bell

username 09MBELLI9F
password ntlznh4b

took about a month for kids and staff to get used to the new username password policy but its worked.

Its completely cut out the problems we had before i.e. kids loging on to other kids email accounts, loging on to network to delete work.

You are having a laugh...

[Michael]

I'm surprised some of you mentioned you have no password policies or no password at all. Staff generally have higher access rights/access to sensitive data and the school overall has a responsibility to protect this data.

Believe me, I've had my fair share of problems getting security to what I consider a reasonable standard. I think the key to it all, is firstly to make the Head and ICT Co. aware and to get them on your side. The ICT Co. should create and have policies in place that all staff should agree and adhere to.

Once you've got this far, the rest is easy as it's all enforced by GPO. I do think it's important to get an equal/fair balance of number of days a password is valid for, number of characters required, but also the history of passwords remembered. If you find people writing passwords down then I would say the password policy needs tweaking or staff need one to one support to give them a clearer understanding of the importance of network security.

[OverWorked]

Printed out on sticky labels so they can stick into their planners at the start of the year - not with their passwords on of course.

Now that's a good idea! I might try that.

[localzuk]

We don't currently have a password policy as such (ie, not a GPO one) but I believe something was started on a written one before I came. I'm not sure what happened with it though.