Password complexity for primary school
Apologies up front if this is the wrong forum but it seems as good as any!
I am a Governor for my local primary school and, since I work in the IT industry (having done support, engineering and design), for my sins I have ended up acting as some form of pseudo-ICT adviser for the school. My predecessor (who also worked in IT but as a programmer/technical writer), despite best intentions, has left the school with a far from desirable set-up and I am now trying to help sort out the various issues that they are now encountering.
The main issue they have is that their single, curriculum "server" is really a desktop PC with Windows Server 2003 installed on it, acting as a DC. It doesn't have RAID, isn't being backed up (in any meaningful sense that would facilitate a restore) and the whole user account/profile/home drive set-up is a disaster area. Suffice to say, they are now looking to put in a new "proper" server and sorting this mess out, which brings me on to the point of this post and my request for help/guidance.
For reasons unknown, when they set up the existing server and domain, they decided to give every pupil (bearing in mind that this is a primary school so we are talking children aged 4 to 11) their own logon. To make things easy (or a nightmare, depending on your point of view), each logon's password is the same as the logon ID itself. The logon IDs are of the form A01, A02, A03 etc. with each year group having a different letter prefix. Supposedly, each child was meant to keep the same ID as they moved up the years/classes, although some children thought they changed letters when they moved up a year so have now started logging on with IDs belonging to children in the year above etc. etc. ... see what I mean about mess?!
Anyway, recently I have been involved in bringing their e-safety policy up to scratch (well, writing it from scratch really) and I started looking at passwords. If it was just staff logging on to the network then I'd be looking for decent password complexity rules, account lockout attempts and forcing password changes every 30 days or so. However, since the children have these simple logon IDs and passwords, we can't do that. There's no way that a 4 year old child is going to be able to remember a 6 character password containing a lower case character, an upper case character and a number, and change it to something different every 30 days! They have enough trouble remembering their 3 character logon!!
So, what does everyone else do? How do you balance network security (which demands a decent password policy) against having passwords that the younger children can remember? Do most people just have generic class logons that everyone shares? The school is keen that each child has a dedicated "area" (be it a folder, shared drive or whatever) in which they can save their work so how can that be achieved with shared logons without running the risk of children in the same class overwriting each other's work? Plus, I hate generic logons anyway as they represent a security risk and you lose traceability!
Apologies for the long post ... any advice/guidance/previous experience would be greatly appreciated.