Tuesday, October 27, 2015

On Passwords

Do you know your Apple ID and password for your school Apple account?


Come on. Be honest. How about logging into Pearson Success Net (Reading Street) on the first, second, or third attempt? Could you? Setting up classes in Mathletics (Every Day Math) requires its own sign in. Do you know yours? What happens when you get locked out of an important classroom resource, or cannot apply a critical update? To whom do you turn? How long does it take? What opportunities are delayed or lost? I ask because in my travels throughout the district, I see password and account overload taking a growing chunk out of your valuable time. Your frustration is compounded by the fact that some of the tools you use - especially your Apple ID - are external to EWG, leaving EWG's IT or other support staff unable to assist you. Other tools are managed by people within EWG, but finding the right contact can be a frustrating slog through "That's not my department" email threads. While you are locked out, you or your students are waiting. It has never been more important to fine tune your password acumen. What follows are some suggestions on where to start.

Biometrics can be strong password solutions with fingerprint and facial recognition leading the consumer options, but they are not viable options for students awaiting your assessment activation. And, biometrics probably won't be available on school resources for a while, as much ed based tech still suffers a lagging adoption process.

Some people use the same password for everything. Doing so is total madness. Seriously. Don't use the same password for every site. Consider variants of a common password. More on this thought later.

Some have a master password list in a document or in a physical notepad. As long as your resource is readily accessible, such a strategy can make sure you and your students can access Mathletics or some other resource when the laptop cart is in your room. However, the same convenience of accessibility raises a proportional risk of accessibility by the bad guys and gals of the digital underworld. Still, a master password list for your school resources might be an acceptable risk if you squirrel it away well. A school password list in the hands of a mischievous student would make for a bad week, but its financial reward to a hacker is negligible.

A few colleagues are beginning to use password managers, like PadlockLastPass, Passwords, and others. Password managers range from free, minimalist approaches to subscription models with lots of powerful options. Password managers work, and can make your life easier. But, I have a problem with password managers. Using a password manager to secure and open all of your online IDs still leaves you vulnerable. If your password manager is hacked, so too is the entire digital realm 'protected' by the same. Don't think that password managers cannot be broken. Remember Target, Home Depot, OPM, DOD, and ...

It is easy to suggest that you simply use a different password for every single digital sign on you might have. The reality is, it is much tougher to remember and use 50 plus unique, strong passwords. But there are a few suggestions I can offer here to help you make strong, unique passwords that are reasonably easy to remember.

I like the kid (and adult) friendly password generator dinopass.com. Much like the AOL passwords of the nineties, dinopass suggests easy to remember passwords. Try it. Thumb through dinopass' rolodex of silly, memorable passwords. Latch onto one that you might use as a 'master' password. Add at least one space in the password. In a password sandwich maneuver , modify the password slightly from site to site. Consider using a site specific suffix (apl for Apple, Irdy for i-Ready) to your 'master' password to help protect the integrity of all your passwords as you traverse from site to site. You might have a password scheme that looks like this for various digital identities:

  • ja2zy Skunk35Apl
  • ja2zy Skunk35Aspn
  • ja2zy Skunk35IRDY

 I like this approach and have seen it work well for people who have taken a brief time to implement it. They rarely forget a password and seldom need a site's password recovery options.

Many systems require a mix of upper and lower case letters, as well as numbers and a sprinkling of special characters. That's too bad, because such requirements just add unnecessary complexity. Does it really matter how many $p3c!al characters you use in a password? Nope. Password length trumps complexity. Consider the difference in time to brute force break the password  "iown2dogs" versus "i own 2 dogs". The second version is considered to be 'safe' for centuries. The linked article is a fascinating read.

If password travails are wrecking your school day, or if you would like to work toward some sanity for your school based password system, let me know. I would be happy to work with you. Better still, if you have a solid password strategy that works well, share it with us.

1 comment:

  1. Thanks for this article, Art. I agree with you on the use of password manager sites. I've never seen the sense in it. I love the "L337 |-|@¢|x3r" approach. The problem is that, with mobile-device keyboards, it's harder to get at those "special characters" that many sites demand. I long for the day they go to biometric passwords. I love my fingerprint password for my phone.

    ReplyDelete

Be polite, kind, and professional, please.