Proper Processes for Password Protocol

password on sticky notes in screen security log-in management software

This month, Nigel Milligan is making a plea to school business professionals to ditch the Post-it note reminders and find a better, more secure way to remember passwords

If I had a pound for every time I asked, “Can you remember what my password is?” I would be a millionaire by now. As we move into the start of a new school year, I thought it would be a good idea to remind you all of the importance of good password management.

For many years the passwords for many people or systems have never changed. It’s a frightening fact that many default passwords on Internet routers, switches and photocopiers are never changed. This creates a serious security risk and should be avoided at all costs. I still remember one of the first schools I worked in, the business manager had a little blue book in her desk drawer with every password for all systems and even staff users who couldn’t remember their own passwords. It even had the lovely ‘passwords’ title written on the front! When I got involved the first thing I advised them to do was to at least lock this book in the school safe until a more efficient method was developed.

There are so many creative ways to manage passwords, ranging from secure password manager apps to keeping them recorded in a secure location that has limited access.

As part of school cyber security plans, there should be a robust password policy in place which is applicable to all systems used in school. The absolute minimum character count for passwords should be 8 – ideally 12-15 characters. The passwords should consist of a combination of lowercase and uppercase letters along with numbers and a special character such as @, * or ! symbols. I have found a popular pattern is to use a combination of numbers mixed with up to 3 random words.

In most systems, the admins can set passwords to expire at certain periods of time, so users have to choose a new one. It would be advisable to change your password at least once per year, although in schools this can be set to be a termly exercise.

Back to the question I keep being asked, “Can you remember my password?”

The simple answer is “Sorry I don’t as you chose your own last time it was reset”. When we receive a password reset request, we always produce a one-time use temporary password that asks the user to choose their own password when they login with it.  As part of your ongoing IT support and staff training the methods for managing passwords can and should be covered.

I nearly forgot to mention the other massive problem that is still often seen… passwords written on a Post-it note stuck to a screen or desktop! Again, this must be addressed with staff training and whenever this is seen they should be removed and reported so this can be monitored.

It is possible to store login details in your web browser. This practice is common and in most cases is a safe way to manage passwords if the device itself is secured with a strong password and isn’t left logged in when unattended. Devices can be set so they automatically lock after a period of inactivity but it’s best practice to get into the habit of locking the device when you’re leaving the room. The simple methods to do this are as follows:

Windows PC’s – Windows Key + L

Apple Mac – Control-Command + Q

Chromebooks – Search + L or Launcher + L

Tablets such as iPad should lock when you close the cover or quickly press the power button.

The positive side of browser password managers is that they sync into the cloud and make life much simpler when you login on another device so everything syncs across for you. Even with this in place, it’s still wise to remember the main password for the system that is being used. (Google or MS365).

There are a variety of password managers to choose from, here is a summary of some of the most popular ones:

  • 1Password
  • Dashlane
  • NordPass

If you use an iPad or iPhone, it’s now possible to create secure notes that you can store account details in which are protected with a password you set and are unlocked with your TouchID or FaceID.

How ever you choose to manage passwords is entirely up to you but please remember that the security of your devices and web accounts is ultimately your own responsibility. Please take full advantage of all support that is available to you, remember we’re all in this together and can ensure we all stay safe from any potential threats that are unfortunately out there.

Let’s wave goodbye to those old password notebooks and take charge of your passwords.

 

Don’t forget to follow us on Twitter like us on Facebook or connect with us on LinkedIn!

Be the first to comment

Leave a Reply