Teachers & Admins: Protect Student Data with Strong Passwords

As a system administrator, or even as a classroom teacher, you probably have several cloud app accounts that hold students’ names, grades, assignments, and communications. How many of these accounts do you protect with a strong password?  How many of your passwords give you control over the systems your students depend on for their education? It’s time to secure these systems with strong security practices, for students’ sake.

Yeah yeah, I know…

You’ve probably seen the articles telling you not to use the most common insecure passwords, or that you should use a password manager so you can use strong passwords that even you can’t remember. Maybe you’ve even heard people tell you it’s time to start using two-factor authentication to protect your most sensitive data.

They’re right. You should, and still many of us don’t. Everyone makes a personal choice about how much energy they’re willing to put into securing their digital lives, but if you have access to sensitive student data, you have an added responsibility to get into strong security habits for their sake.

Password Managers

I’ve been using LastPass for 7 years now — just about as long as I’ve been an LMS system administrator. My job gives me top-level access to students’ academic records, as well as the power to massively mess up several systems that my colleagues and students depend upon. This is a lot of power in an organization, and with great power comes great responsibility.

with great power comes great responsibility

Even something as simple as your Google Suite for Ed. account or other school email service could wreak havoc for your students and colleagues if it got into the wrong hands.

Using a password manager is a minor inconvenience that makes a major difference in the level of security I’m able to provide for my users. It enables me to use highly secure passwords on campus systems where I have access to student records, or where I have admin access.

Its “Security Challenge” feature will automatically go through your stored passwords looking for old, outdated, repeated, or compromised passwords — yes, they maintain a database of password hacks and can tell you if your Yahoo account password needs to be changed (hint: IT DOES).

You can use LastPass for free on either desktop or mobile, and it’s $12/year if you want to be able to switch back and forth between desktop and mobile. This means that even if you only use a desktop at work, you could protect all your work systems for free. I pay $1 per month — a small price to pay for excellent security with minimum hassle.

LastPass isn’t the only choice — competitor Dashlane also gets favorable reviews, 1Password is especially great if you mostly use Apple devices, and open-source DIY solution KeePass is a great free option for people who’d rather keep their data completely under their own control.

Two-factor authentication

Another security precaution you should consider is using two-factor authentication. This is an added layer of security to protect your most sensitive accounts because it depends on something you know (your password) and something you have (your smartphone). A surprising number of sites use two-factor authentication, including household names like Google, Twitter, Facebook, WordPress, Outlook.com, Yahoo, LastPass, Evernote, and many more.

The way it works is that, when you are about to login to a sensitive site, they text an additional login code to your phone to make sure it’s you. This way, even if your password has been compromised, it’s an added layer of security.

Again, this is a minor inconvenience that adds major security to your most sensitive accounts, making it much harder for a would-be attacker to compromise your password with a brute-force attack. I secure my LastPass password manager with two-factor, adding another level of security onto my passwords.

Just do it

In the end, adopting a password manager is one single thing you can do to drastically increase your own security and the security of the students whose data you access. It makes many online tasks easier (remembering passwords, filling forms, changing passwords, securing sites) and a couple slightly harder (logging in takes an extra step), but overall, it’s worth doing, if not for your own sake, then for the sake of your students.

Liked this post? Follow this blog to get more. 

2 Comments

  1. Great point, Tom. Here at TedCurran.net, people can login with their WordPress.com accounts via the Jetpack plugin, though I know that’s not as common as Google, Facebook, Twitter, etc. It looks like something like (WP-OAuth)[https://wordpress.org/plugins/wp-oauth/] would make it easy for WordPress admins to add those common logins to their site. Of course, that makes it doubly important to secure those accounts with a strong password and 2FA!

  2. Tom Arild Jakobsen

    Hi, I’m a software developer (and site admin) working with h5p, and I would like to throw in a tip for other admins.

    Enable “OAuth2” or “OpenID Connect” on your site, to allow users to log in with Google, Facebook, Steam or Github, or some other popular account that most people already have.

    That way you, as the site owner, is not responsible for keeping hashed passwords that can be stolen by hackers. And the large actors out there (like Google) have way better security then small fish like us can provide.

    And you “normal users” reading this, should reuse your existing accounts (with strong passwords), instead of creating new ones all over the place. 🙂

    Tom

Comments