Windows Thread, Password complexity for primary school in Technical; Apologies up front if this is the wrong forum but it seems as good as any!
I am a Governor ...
7th May 2010, 10:33 PM #1
Password complexity for primary school
Apologies up front if this is the wrong forum but it seems as good as any!
I am a Governor for my local primary school and, since I work in the IT industry (having done support, engineering and design), for my sins I have ended up acting as some form of pseudo-ICT adviser for the school. My predecessor (who also worked in IT but as a programmer/technical writer), despite best intentions, has left the school with a far from desirable set-up and I am now trying to help sort out the various issues that they are now encountering.
The main issue they have is that their single, curriculum "server" is really a desktop PC with Windows Server 2003 installed on it, acting as a DC. It doesn't have RAID, isn't being backed up (in any meaningful sense that would facilitate a restore) and the whole user account/profile/home drive set-up is a disaster area. Suffice to say, they are now looking to put in a new "proper" server and sorting this mess out, which brings me on to the point of this post and my request for help/guidance.
For reasons unknown, when they set up the existing server and domain, they decided to give every pupil (bearing in mind that this is a primary school so we are talking children aged 4 to 11) their own logon. To make things easy (or a nightmare, depending on your point of view), each logon's password is the same as the logon ID itself. The logon IDs are of the form A01, A02, A03 etc. with each year group having a different letter prefix. Supposedly, each child was meant to keep the same ID as they moved up the years/classes, although some children thought they changed letters when they moved up a year so have now started logging on with IDs belonging to children in the year above etc. etc. ... see what I mean about mess?!
Anyway, recently I have been involved in bringing their e-safety policy up to scratch (well, writing it from scratch really) and I started looking at passwords. If it was just staff logging on to the network then I'd be looking for decent password complexity rules, account lockout attempts and forcing password changes every 30 days or so. However, since the children have these simple logon IDs and passwords, we can't do that. There's no way that a 4 year old child is going to be able to remember a 6 character password containing a lower case character, an upper case character and a number, and change it to something different every 30 days! They have enough trouble remembering their 3 character logon!!
So, what does everyone else do? How do you balance network security (which demands a decent password policy) against having passwords that the younger children can remember? Do most people just have generic class logons that everyone shares? The school is keen that each child has a dedicated "area" (be it a folder, shared drive or whatever) in which they can save their work so how can that be achieved with shared logons without running the risk of children in the same class overwriting each other's work? Plus, I hate generic logons anyway as they represent a security risk and you lose traceability!
Apologies for the long post ... any advice/guidance/previous experience would be greatly appreciated.
7th May 2010, 11:06 PM #2
Password complexity with Server 2k3 in Primary schools is a nightmare.
You can only have one policy and it needs to accomodate everyone. Hence you end up with 3 letter passwords that are the same for the entire school, just so Reception - Year 2 can take less than half an hour to logon.
My school is no different. If we had any outside access to the network, I would be terrified... as it is I'm just plain scared, BUT we are going server 2008 this summer and then the password policy will change as this can be set at OU level.
Every child at my school from Reception up has their own logon (we have a Pre-school from age 3 months and they use a single logon for the children that use our computers) and they are taught their individual password, the need to keep it secret and to keep it safe. It's an important message and the sooner they learn it the better.
Years 4to 6 at my school have to change their passwords 3 times a year,just like the teachers. It's fun ... but they learn!
I inherited the setup we have, but given the e-safety message we are trying to drive home, I have no qualms about individual logons from Reception upwards or about password security.
As soon as we go 2k8, teachers will have to have more secure passwords... at the moment I get away with white lies saying they must be at least 6 characters long and contain alphameric characters! Password security is contained in our very stiff AUP, so the teachers are contractually obliged to make sure their logons are secure.
Thanks to elsiegee40 from:
7th May 2010, 11:34 PM #3
Well, at least we're not alone then! Many thanks for your reply elsiegee40.
It's been a while since I've buried myself in Windows Server (I've been dabbling in AIX for the last couple of years) and I've not had a chance to bring myself up to speed with the new features of W2K8 ... different password policies per OU is a definite plus and since I'm intending to put W2K8 on the new server anyway, this is fantastic news - thank you! (Note to self, read up on other new features of W2K8 that I've missed out on!)
We've updated our AUPs too with strict policies on password security so I guess this helps too.
I'm still left with the niggling issue though of whether user IDs and passwords of A01, A02 etc. are the best answer ... any other set-ups out there?
8th May 2010, 12:00 AM #4
Nursery and reception accounts: N01, N02,... and R01, R02,... no one cares which kid uses which account and their are no passwords.
Y1 - Y6: Have format "yyAliceB" where yy is year of entry to school e.g. "07" (reduces account name collisions), no passwords for Y1-Y5, but Y6 have passwords in preparation for Secondary ICT-life.
Seems to work fine.
Thanks to PiqueABoo from:
8th May 2010, 12:24 AM #5
The primary i work in has year log ons and all the children use them. I have advocated individual passwords for the top two years but noone would do it.
As for password change - I can't even get the staff to do it, never mind the kids (in both the schools I work in)
8th May 2010, 10:25 AM #6
I force password changes on Tuesday of the second week of every main term (September, January and April/May) with the HT's blessing. Everybody hates it and at first staff were openly hostile, but they are used to it now. I remind them that it will happen at the start of term staff meeting and now they just groan.
8th May 2010, 12:26 PM #7
Class logons here, upper school all use same password, even that causes problems with some pupils! Every pupil has their own folder, within their class folder along with a class shared folder for prepared work to go in.
The staff don't need to know anything about password policies on server 2003, I've told ours they must have letters and numbers as it's school's policy that staff have complex passwords! It's broad shoulder time with some staff but that's part of our job
Last edited by chrbb; 8th May 2010 at 12:29 PM.
8th May 2010, 03:45 PM #8
It is a difficult question to answer. As a general rule because Windows Logon is all internal, it's safe to have usernames setup such as the year of entry, first letter of their first name and then their surname, with a standard password. You may wish for Year 5 and 6 to be able to change their passwords, but really that's at the discretion of the school.
The second problem is e-mail. Some authorities are using incredibly complex usernames as suggested by Becta. Something like AD123JO345@domain-name which for a child is incredibly difficult for them to remember, even with the creation of flash cards they can carry around. How many teachers did Becta consult on this? Probably zero.
The moral of the story is computer security is important, but make it too difficult and teachers will lose patience and even worse, pupils will lose out. It's important to get the balance right otherwise this creates a huge hindrance to children learning ICT.
8th May 2010, 05:02 PM #9
Last edited by SimpleSi; 8th May 2010 at 08:26 PM.
Thanks to SimpleSi from:
elsiegee40 (8th May 2010)
8th May 2010, 11:44 PM #10
Anyone thought of biometrics which most schools use for catering?
Could use the same DB and with all the computers setup (in a primary school not too many computers) with bio-readers this would prove very effective and efficient for both students and staff would it not. This would also have the added security criteria due to safeguarding and e-safety protocols and would be more cost effective than having the schools security breached.
8th May 2010, 11:56 PM #11
@simplesi at primary theres certainly only that reason but towards the end of compolsory education schools need to start thinking about getting student ready for the world of work.
Strong passwords is certainly part of that world.
8th May 2010, 11:58 PM #12
OK you have my attention - what exactly is that? I don't think our catering uses it.
Originally Posted by bossman
9th May 2010, 12:27 AM #13
Must every thread on this forum, including ones with an explicit primary in the title be Secondaryfied?
9th May 2010, 01:44 AM #14
Fingerprint readers, I have to say that I have thought about this or about smartcards for logon but the readers are expensive and we don't have such a limited amount of machines. Additionally for the moment you would need to use some form of additional software to log on to the domain with fingerprints without registering every user on every station. These systems do exist but are an extra cost.
Originally Posted by leco
Smartcards don't have this problem and the readers are usually cheaper butthese can be easily lost/stolen/forgotten so it limits their effectivness.
@3rdknight - we just use standard class logons, each class gets its own password set by the teacher which all the students for that class know. I agree with SimpleSi in that most of the time the work is not critically important and we don't really seem to have issues with users deleting anything, rather the opposite.
Last edited by SYNACK; 9th May 2010 at 01:49 AM.
9th May 2010, 02:05 AM #15
I've used biometrics - all be it with a secondary school - it worked well but cost a lot to set up and to maintain the hardware (vandalism and failure rate) - there are some concerns around private information being stored (ie police checking fingerprint) that need to be explained to parents - it is not 100% accurate which can lead to frustration (ie if you can't log in with a password you assume you typed it wrongly and try again if it biometric you blame the system and call the network manager)
Originally Posted by bossman
By SteveR in forum General Chat
Last Post: 30th April 2013, 11:00 AM
By contink in forum General Chat
Last Post: 14th November 2010, 09:19 PM
By mhchs in forum Windows Server 2000/2003
Last Post: 12th May 2010, 01:56 PM
By contink in forum Hardware
Last Post: 27th January 2009, 11:24 PM
By timbo343 in forum Windows
Last Post: 18th November 2007, 05:36 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)