Considering the Strength of Student Passwords

I had an interesting conundrum this week in which a website that I brought my students into had a temporary bug in the security feature that did not compromise the accounts, but it did invalidate a series of security questions that would allow my students to access their passwords if they should forget them or if they were to get lost. Unfortunately, unlike most educational sites these days, this particular one does not have a master list of student usernames and passwords available.

So, the day after I realized the bug (which was fixed), I gave each student a piece of paper and had them write down their username and password for me so that I could make a master list. I had to explain that no one would have access to the list (a few looked nervous, which is good) and that it would only be if they forgot their password or username.

This weekend, I created my list and began to notice some trends around passwords that I never really paid attention to before. And given that I am developing a digital citizenship unit for January, I see now that “Password Education” is going to be part of those lesson planning. While some students did a nice job of mixing up letters and numbers in a way that would be difficult to be hacked, I noticed some other things:

  • One student, out loud in class, announced that he uses the same password for every site. And then he began to list out the sites that he uses: Facebook, YouTube, etc. Another student, one of his friends, announced that was true and that he knew the password. Not a good idea, I told both of them. I suggested he change his common password, and vary it for various sites.
  • One of the usernames in our site appears to be the phone number of the student. Yikes! The site is closed to the public, but still … I found that very odd.
  • A few usernames were their real first and last names. Again, the site is closed. But I specifically said they should come up with a username that is invented. Maybe I did not stress that clear enough.
  • In a few cases, the password was exactly the same as the username. That doesn’t do much good, does it?
  • One student wrote her username and password in sharpie marker on the front cover of her binder. I noticed it when they were filling out my sheet. Not too secure, I told her. She covered it up with a book, as if that would solve the matter.
  • One password was clearly the home address of the student.
  • A couple of the passwords were only three letters. That’s not as bad as some of the above, but the more characters, the harder it is to hack.

Of course, these are sixth graders and their main goal is to be able to remember their usernames and passwords, so they go the easiest route possible. My job is to teach them and remind them how to keep their data safe, and their accounts secure, and along with a conversation this week about it, it will become part of my upcoming digital educational unit, too.

Here are two resources that are handy when talking about passwords.

First, check out this infographic. It’s a good talking point.

Second, check out this site – Password Bird – which creates passwords based on some basic questions, and mixing up the words. I am going to come up with sort of activity that forces them to invent a few possible passwords. Another site — Strong Password Generator — is good, but the passwords that come out of the engine would be difficult for my students to remember, I think, even with the memory hints.

But I like this information from the Strong Password Generator site:

A strong password:
has at least 15 characters;
has uppercase letters;
has lowercase letters;
has numbers;
has symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] : ; @ ' ~ # | \ < , > . ? /
is not like your previous passwords;
is not your name;
is not your login;
is not your friend’s name;
is not your family member’s name;
is not a dictionary word;
is not a common name.

What it comes down to is an understanding of WHY we have passwords in the first place. This year, I notice, there is less of an awareness of security of online sites with my students. I’m not sure why that is. Without stirring up too much fear and anxiety, though, I want to inform them of ways they can protect their data, and also (when it comes to social networking sites) their reputations.

Peace (in the password),
Kevin

 

 

2 Comments
  1. I’m currently teaching an online tools class to some middle school aged students. This is so helpful. We’ve done some work, but your information expands what I’ve found. It’s important! Thanks for all the details!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>