+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 23
Windows Thread, Password complexity for primary school in Technical; Apologies up front if this is the wrong forum but it seems as good as any! I am a Governor ...
  1. #1
    3rdknight's Avatar
    Join Date
    Jul 2009
    Location
    Gloucestershire
    Posts
    9
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Question Password complexity for primary school

    Apologies up front if this is the wrong forum but it seems as good as any!

    I am a Governor for my local primary school and, since I work in the IT industry (having done support, engineering and design), for my sins I have ended up acting as some form of pseudo-ICT adviser for the school. My predecessor (who also worked in IT but as a programmer/technical writer), despite best intentions, has left the school with a far from desirable set-up and I am now trying to help sort out the various issues that they are now encountering.

    The main issue they have is that their single, curriculum "server" is really a desktop PC with Windows Server 2003 installed on it, acting as a DC. It doesn't have RAID, isn't being backed up (in any meaningful sense that would facilitate a restore) and the whole user account/profile/home drive set-up is a disaster area. Suffice to say, they are now looking to put in a new "proper" server and sorting this mess out, which brings me on to the point of this post and my request for help/guidance.

    For reasons unknown, when they set up the existing server and domain, they decided to give every pupil (bearing in mind that this is a primary school so we are talking children aged 4 to 11) their own logon. To make things easy (or a nightmare, depending on your point of view), each logon's password is the same as the logon ID itself. The logon IDs are of the form A01, A02, A03 etc. with each year group having a different letter prefix. Supposedly, each child was meant to keep the same ID as they moved up the years/classes, although some children thought they changed letters when they moved up a year so have now started logging on with IDs belonging to children in the year above etc. etc. ... see what I mean about mess?!

    Anyway, recently I have been involved in bringing their e-safety policy up to scratch (well, writing it from scratch really) and I started looking at passwords. If it was just staff logging on to the network then I'd be looking for decent password complexity rules, account lockout attempts and forcing password changes every 30 days or so. However, since the children have these simple logon IDs and passwords, we can't do that. There's no way that a 4 year old child is going to be able to remember a 6 character password containing a lower case character, an upper case character and a number, and change it to something different every 30 days! They have enough trouble remembering their 3 character logon!!

    So, what does everyone else do? How do you balance network security (which demands a decent password policy) against having passwords that the younger children can remember? Do most people just have generic class logons that everyone shares? The school is keen that each child has a dedicated "area" (be it a folder, shared drive or whatever) in which they can save their work so how can that be achieved with shared logons without running the risk of children in the same class overwriting each other's work? Plus, I hate generic logons anyway as they represent a security risk and you lose traceability!

    Apologies for the long post ... any advice/guidance/previous experience would be greatly appreciated.

    Regards,
    3rdknight

  2. #2

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,071
    Thank Post
    1,898
    Thanked 2,377 Times in 1,747 Posts
    Rep Power
    833
    Password complexity with Server 2k3 in Primary schools is a nightmare.

    You can only have one policy and it needs to accomodate everyone. Hence you end up with 3 letter passwords that are the same for the entire school, just so Reception - Year 2 can take less than half an hour to logon.

    My school is no different. If we had any outside access to the network, I would be terrified... as it is I'm just plain scared, BUT we are going server 2008 this summer and then the password policy will change as this can be set at OU level.

    Every child at my school from Reception up has their own logon (we have a Pre-school from age 3 months and they use a single logon for the children that use our computers) and they are taught their individual password, the need to keep it secret and to keep it safe. It's an important message and the sooner they learn it the better.

    Years 4to 6 at my school have to change their passwords 3 times a year,just like the teachers. It's fun ... but they learn!

    I inherited the setup we have, but given the e-safety message we are trying to drive home, I have no qualms about individual logons from Reception upwards or about password security.

    As soon as we go 2k8, teachers will have to have more secure passwords... at the moment I get away with white lies saying they must be at least 6 characters long and contain alphameric characters! Password security is contained in our very stiff AUP, so the teachers are contractually obliged to make sure their logons are secure.

  3. Thanks to elsiegee40 from:

    3rdknight (7th May 2010)

  4. #3
    3rdknight's Avatar
    Join Date
    Jul 2009
    Location
    Gloucestershire
    Posts
    9
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Well, at least we're not alone then! Many thanks for your reply elsiegee40.

    It's been a while since I've buried myself in Windows Server (I've been dabbling in AIX for the last couple of years) and I've not had a chance to bring myself up to speed with the new features of W2K8 ... different password policies per OU is a definite plus and since I'm intending to put W2K8 on the new server anyway, this is fantastic news - thank you! (Note to self, read up on other new features of W2K8 that I've missed out on!)

    We've updated our AUPs too with strict policies on password security so I guess this helps too.

    I'm still left with the niggling issue though of whether user IDs and passwords of A01, A02 etc. are the best answer ... any other set-ups out there?

  5. #4

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Sprogette's school:

    Nursery and reception accounts: N01, N02,... and R01, R02,... no one cares which kid uses which account and their are no passwords.
    Y1 - Y6: Have format "yyAliceB" where yy is year of entry to school e.g. "07" (reduces account name collisions), no passwords for Y1-Y5, but Y6 have passwords in preparation for Secondary ICT-life.

    Seems to work fine.

  6. Thanks to PiqueABoo from:

    SimpleSi (8th May 2010)

  7. #5

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,373
    Thank Post
    1,501
    Thanked 2,579 Times in 1,795 Posts
    Rep Power
    776
    The primary i work in has year log ons and all the children use them. I have advocated individual passwords for the top two years but noone would do it.
    As for password change - I can't even get the staff to do it, never mind the kids (in both the schools I work in)

  8. #6

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,071
    Thank Post
    1,898
    Thanked 2,377 Times in 1,747 Posts
    Rep Power
    833
    I force password changes on Tuesday of the second week of every main term (September, January and April/May) with the HT's blessing. Everybody hates it and at first staff were openly hostile, but they are used to it now. I remind them that it will happen at the start of term staff meeting and now they just groan.

  9. #7
    chrbb's Avatar
    Join Date
    Oct 2005
    Location
    Midlands
    Posts
    1,509
    Thank Post
    141
    Thanked 67 Times in 62 Posts
    Rep Power
    47
    Class logons here, upper school all use same password, even that causes problems with some pupils! Every pupil has their own folder, within their class folder along with a class shared folder for prepared work to go in.

    The staff don't need to know anything about password policies on server 2003, I've told ours they must have letters and numbers as it's school's policy that staff have complex passwords! It's broad shoulder time with some staff but that's part of our job
    Last edited by chrbb; 8th May 2010 at 12:29 PM.

  10. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,304
    Thank Post
    242
    Thanked 1,589 Times in 1,266 Posts
    Rep Power
    344
    It is a difficult question to answer. As a general rule because Windows Logon is all internal, it's safe to have usernames setup such as the year of entry, first letter of their first name and then their surname, with a standard password. You may wish for Year 5 and 6 to be able to change their passwords, but really that's at the discretion of the school.

    The second problem is e-mail. Some authorities are using incredibly complex usernames as suggested by Becta. Something like AD123JO345@domain-name which for a child is incredibly difficult for them to remember, even with the creation of flash cards they can carry around. How many teachers did Becta consult on this? Probably zero.

    The moral of the story is computer security is important, but make it too difficult and teachers will lose patience and even worse, pupils will lose out. It's important to get the balance right otherwise this creates a huge hindrance to children learning ICT.

  11. #9

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,829
    Thank Post
    1,476
    Thanked 595 Times in 446 Posts
    Rep Power
    170
    :cry:

    Just because you can do something (enforcing complex passwords/password rotation/single user logons) doesn't mean you should.

    Why do you want children's work to be secure? (Apart from that you can )
    It's important to get the balance right otherwise this creates a huge hindrance to children learning ICT.
    I'm with him

    I believe the major problem of non-secure logons is the ability of pupils to overwrite/move other pupils folders - I don't believe that their actual work is that important - most of it is just a record and is not re-used (with exceptions like Photostory projects of course) and simple data backups is good enough to secure those if they do get accidently deleted.

    I work in schools to enhance the teaching and learning and try and do whatever it takes to keep lessons rolling - and complex passwords is not a friend to that goal

    The only time I move to complex passwords is when the pupils are given access to a VLE (Moodle in our case) from home AND are using forum's/chat etc as I believe that it then becomes important to use "security" - but more for control purposes than anything else

    regards
    Simon
    PS @3rdknight - every new school I've ever gone into - I've thought - what a mess - and I'm sure every IT person who's taken over one of my old schools has said - what a mess

    Primaries (with rare exceptions - some of whom have posted above) don't engage sufficient resources into IT Management as it simply is not a financial priority
    Last edited by SimpleSi; 8th May 2010 at 08:26 PM.

  12. Thanks to SimpleSi from:

    elsiegee40 (8th May 2010)

  13. #10

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    4,017
    Thank Post
    1,253
    Thanked 1,099 Times in 781 Posts
    Rep Power
    337
    Anyone thought of biometrics which most schools use for catering?

    Could use the same DB and with all the computers setup (in a primary school not too many computers) with bio-readers this would prove very effective and efficient for both students and staff would it not. This would also have the added security criteria due to safeguarding and e-safety protocols and would be more cost effective than having the schools security breached.

  14. #11
    mossj's Avatar
    Join Date
    Dec 2008
    Location
    Leicester
    Posts
    1,466
    Thank Post
    157
    Thanked 189 Times in 174 Posts
    Rep Power
    52
    @simplesi at primary theres certainly only that reason but towards the end of compolsory education schools need to start thinking about getting student ready for the world of work.

    Strong passwords is certainly part of that world.

  15. #12
    leco's Avatar
    Join Date
    Nov 2006
    Location
    West Yorkshire
    Posts
    2,026
    Thank Post
    595
    Thanked 125 Times in 119 Posts
    Rep Power
    42
    Quote Originally Posted by bossman View Post
    Anyone thought of biometrics which most schools use for catering?
    OK you have my attention - what exactly is that? I don't think our catering uses it.

  16. #13

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Must every thread on this forum, including ones with an explicit primary in the title be Secondaryfied?

  17. #14

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,270
    Thank Post
    884
    Thanked 2,747 Times in 2,321 Posts
    Blog Entries
    11
    Rep Power
    785
    Quote Originally Posted by leco View Post
    OK you have my attention - what exactly is that? I don't think our catering uses it.
    Fingerprint readers, I have to say that I have thought about this or about smartcards for logon but the readers are expensive and we don't have such a limited amount of machines. Additionally for the moment you would need to use some form of additional software to log on to the domain with fingerprints without registering every user on every station. These systems do exist but are an extra cost.

    Smartcards don't have this problem and the readers are usually cheaper butthese can be easily lost/stolen/forgotten so it limits their effectivness.

    @3rdknight - we just use standard class logons, each class gets its own password set by the teacher which all the students for that class know. I agree with SimpleSi in that most of the time the work is not critically important and we don't really seem to have issues with users deleting anything, rather the opposite.
    Last edited by SYNACK; 9th May 2010 at 01:49 AM.

  18. #15
    Face-Man's Avatar
    Join Date
    Dec 2005
    Location
    London
    Posts
    577
    Thank Post
    11
    Thanked 58 Times in 40 Posts
    Rep Power
    71
    Quote Originally Posted by bossman View Post
    Anyone thought of biometrics which most schools use for catering?
    I've used biometrics - all be it with a secondary school - it worked well but cost a lot to set up and to maintain the hardware (vandalism and failure rate) - there are some concerns around private information being stored (ie police checking fingerprint) that need to be explained to parents - it is not 100% accurate which can lead to frustration (ie if you can't log in with a password you assume you typed it wrongly and try again if it biometric you blame the system and call the network manager)



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 16
    Last Post: 30th April 2013, 11:00 AM
  2. Replies: 22
    Last Post: 14th November 2010, 09:19 PM
  3. Replies: 3
    Last Post: 12th May 2010, 01:56 PM
  4. Backup for Primary School
    By contink in forum Hardware
    Replies: 7
    Last Post: 27th January 2009, 11:24 PM
  5. password complexity help
    By timbo343 in forum Windows
    Replies: 18
    Last Post: 18th November 2007, 05:36 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •