+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 32
School ICT Policies Thread, Password legislation/rulings in School Administration; Hi all i'm trying to find out what the current legislation is on passwords and automatic resets... in my old ...
  1. #1

    Join Date
    Mar 2008
    Location
    Boston, Lincolnshire
    Posts
    189
    Thank Post
    1
    Thanked 8 Times in 8 Posts
    Rep Power
    15

    Password legislation/rulings

    Hi all

    i'm trying to find out what the current legislation is on passwords and automatic resets...

    in my old job i worked for charity dealing with disabled people and we had best practice rulings as to passwords..

    ie 24 password memory, min 8 characters, must have 3 different types of character, 40 day reset.

    in my new place i have absolutely nothing in place...

    any advice?

  2. #2
    Jona's Avatar
    Join Date
    May 2007
    Location
    Cranleigh
    Posts
    471
    Thank Post
    14
    Thanked 51 Times in 49 Posts
    Rep Power
    24
    current legislation
    I don't think there are any laws on this just reasonable security steps in the data protection act, etc.

    I think it's an fine balance between security and the user actually being able to remember it with out writing it down (which compromises your security).

    I would personally suggest maybe 6 chars or longer with at least one numeric?

    AU's password policy which is very draconian is here: How do I choose a suitable password? this is actively enforced e.g. it checks language dictionaries and such. Wikipedia has something vaguely helpful to say: Password policy - Wikipedia, the free encyclopedia

  3. #3


    Join Date
    Jul 2007
    Location
    Rural heck
    Posts
    2,662
    Thank Post
    120
    Thanked 433 Times in 352 Posts
    Rep Power
    127
    Bare in mind in a school if you make it too complicated you'll have two problems.

    A. No one will like you.

    B. A phenomial number of people won't take passwords seriousely. You'll get loads writen down or told to all an sundry. Make sure you have SLT on side and make sure they're aware of the potential pit falls.

  4. #4

    Join Date
    Mar 2008
    Location
    Boston, Lincolnshire
    Posts
    189
    Thank Post
    1
    Thanked 8 Times in 8 Posts
    Rep Power
    15
    Quote Originally Posted by K.C.Leblanc View Post
    A. No one will like you.
    now thats interesting coment... most of the kids don't like me coz i stop them doing all the fun things... then again a lot of the kids respect the authority...

    in my old post i had 50 women who hated the thought of having to work with a decent password policy... it took a couple of moths for them to get used to the system and they got on with it...

    NB - is it possible to set up a system so that all login's can be recorded and programs run are logged also? i've never used it before and school administration is a lil different to what i'm used to...

  5. #5
    gaz350's Avatar
    Join Date
    Jul 2007
    Location
    Rutland, east.leicestershire :P
    Posts
    579
    Thank Post
    47
    Thanked 49 Times in 41 Posts
    Rep Power
    29
    'smoothwall' Tom posted about a nice document about passwords in schools its some where on the forum

    here it is http://download.smoothwall.net/pdf/p...or-schools.pdf
    Last edited by gaz350; 28th March 2008 at 11:32 AM.

  6. #6

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,159
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    One of the key things which might help is to stop talking about "passwords" and to use the term "passphrase". Passwords like O9**HHb23 are secure but are not easy to use. Passphrases like Dudden Hill Lane NW10 2XD are easy to remember and can be secure (provided you don't use an address which is easily associated with you!) It doesn't even have to be real (eg if you only half remember the address where you grew up then that's fine!).

    There are loads of other phrases that you can use which include numbers and punctuation; they can be easy to work with but hard for a dictionary attack to find.

  7. #7
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,096
    Thank Post
    457
    Thanked 152 Times in 96 Posts
    Rep Power
    72
    typical username and password for a user

    User Mark Bell

    username 09MBELLI9F
    password ntlznh4b

    took about a month for kids and staff to get used to the new username password policy but its worked.

    Its completely cut out the problems we had before i.e. kids loging on to other kids email accounts, loging on to network to delete work.

  8. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,331
    Thank Post
    242
    Thanked 1,601 Times in 1,277 Posts
    Rep Power
    346
    Well I operate mostly in primary schools and setup the following:

    10 remembered passwords
    Minimum 5 characters
    200 days remembered

    However, all children use the same password which they cannot change. All staff are forced and reminded (5 days before) to change every 200 days by GPO.

    Usually I operate the username format jbloggs for staff and 07jbloggs (for example) the year the children joined the school.
    Last edited by Michael; 28th March 2008 at 11:35 AM.

  9. #9

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,372
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    We don't use this as the kids have trouble remembering passwords as it is

  10. #10

    Join Date
    Nov 2006
    Location
    Kendal
    Posts
    1,556
    Thank Post
    112
    Thanked 178 Times in 145 Posts
    Rep Power
    72
    1. Our staff would crumble if I enforced regular changes - they struggle to remember 1

    2. Interesting about usernames. We use 07BloggsJ as username and 07BloggsJ@schooletc.co.uk as their email (that way they only have to remember 1 username) - a guy from Shirelands (our VLE provider) was suggesting Becta has said 07BloggsJ was no longer acceptable as it identified the age of the student and their surname. What do others do for student email addresses?

  11. #11

    Join Date
    Mar 2008
    Location
    Boston, Lincolnshire
    Posts
    189
    Thank Post
    1
    Thanked 8 Times in 8 Posts
    Rep Power
    15
    we have

    first.last@school.county.sch.uk as email

    and logon is first.last...

    the way we oganise the accounts is al setup in active directry used users>pupils>year intake.. is 2007 intake = yr7 etc...

  12. #12


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,507
    Thank Post
    871
    Thanked 862 Times in 681 Posts
    Rep Power
    199
    Remember, there's little chance of a traditional dictionary attack on these passwords, so using a "real" word has fewer disadvantages.

    For Kids passwords, and this mostly goes for teachers too, your biggest risks are:
    1. Guessability
    2. Written-passwords
    3. Shoulder surfing

    A dictionary word is easier to shoulder surf, but difficult for a human to guess, because there are a few of them. Enforcing too long, or over complex passwords opens users up to #2 - have heard of kids being encouraged to write passwords in jotters etc.

    Unmemorable passwords (or phrases - that is a good idea) will cause much more hassle than insecure ones. There's a big difference between "memorable" and "guessable" though. Harder with kids, as they have less "life experience" to draw on, old addresses, etc. and will often take examples too literally, leading to obvious patterns.

    Its also worth noting how many people will "stick with" the default, unless enforced otherwise.

  13. #13
    stratisphere's Avatar
    Join Date
    Apr 2007
    Posts
    295
    Thank Post
    33
    Thanked 87 Times in 31 Posts
    Rep Power
    31
    Quote Originally Posted by hotwired007 View Post
    now thats interesting coment... most of the kids don't like me coz i stop them doing all the fun things... then again a lot of the kids respect the authority...

    in my old post i had 50 women who hated the thought of having to work with a decent password policy... it took a couple of moths for them to get used to the system and they got on with it...

    NB - is it possible to set up a system so that all login's can be recorded and programs run are logged also? i've never used it before and school administration is a lil different to what i'm used to...
    I'm working on a tool at the moment (actually, a suite of tools) which will do all this. It also has a password manager (basically shows you the security of your password in a nice friendly bar... like those 2.0 websites).

    At the moment it's in an alpha development phase (i.e. i'm not happy to send it out to anyone).
    But over the next few weeks i'll be releasing a beta version of it.
    The thread is Imperium - Ideas & help? if you want to keep an eye on it.

  14. #14

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,331
    Thank Post
    242
    Thanked 1,601 Times in 1,277 Posts
    Rep Power
    346
    Interesting about usernames. We use 07BloggsJ as username and 07BloggsJ@schooletc.co.uk as their email (that way they only have to remember 1 username) - a guy from Shirelands (our VLE provider) was suggesting Becta has said 07BloggsJ was no longer acceptable as it identified the age of the student and their surname. What do others do for student email addresses?
    That's what I love about BECTA. They come out saying it's not acceptable, but at the same time, they don't offer an alternative. Really constructive. The point is BECTA are only offering guidance, it isn't mandatory. If you're like me and it works in many schools, with no issues, then leave well alone

    The only alternative would be to give pupils a random 4 digit pin to logon as. For example, 1234, 4321, 3421 etc... however it's going to be really problematic as I obviously teachers or myself wouldn't be able to remember which number is for which child.

  15. #15

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,181
    Thank Post
    1,922
    Thanked 2,413 Times in 1,767 Posts
    Rep Power
    840
    I force passwords changes on all staff in the second week of every half term. It wasn't popular when I first did it, but they're used to it now.

    They much prefer this to the nagging "your password will expire in x days, do you want to change it now?" message.

    As for the kids, because our youngest users are aged 4 we have a simpler policy than I would like. The kids password is set once and cannot be changed... although from next September Year 5 & 6 will be setting their own passwords (should be fun!)

    As for user names:
    07AliciaS is the standard here: 07 is the year they start in Reception and that is followed by the child's forename and the first initial of the surname. We always use the preferred abbreviation for the forename that the child uses... so Madeleines are Maddy or Maddie, etc (we only get away with this because the school is so small!)

    Staff logons are JSmith; i.e. Initial of forename followed by surname

    Emails are the same as the user's logon above @school.co.uk
    Last edited by elsiegee40; 28th March 2008 at 01:17 PM.



SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. password complexity help
    By timbo343 in forum Windows
    Replies: 18
    Last Post: 18th November 2007, 05:36 PM
  2. Password Protect USB Key
    By sqdge in forum Windows
    Replies: 2
    Last Post: 31st July 2007, 04:47 PM
  3. That is the right password!
    By Ric_ in forum *nix
    Replies: 9
    Last Post: 27th July 2007, 10:23 AM
  4. photos of children - any exact rules or legislation?
    By Anti in forum School ICT Policies
    Replies: 13
    Last Post: 20th June 2007, 11:26 PM
  5. Lanview password
    By kevin in forum Network and Classroom Management
    Replies: 4
    Last Post: 17th May 2007, 03:14 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •