2 Password Management

You should know the following terms:

• Acceptable Use
• Access Control List (ACL)
• Azure Active Directory self-service password reset
• Credentials
• Mnemonic device
• National Institute of Standards and Technology (NIST)
• Passphrase
• Password
• Password-manager software
• Personal Identification Number (PIN)
• Privileged access
• Privileged Access Management (PAM) solution

How to Create Strong Passwords/Passphrases

You probably have many different accounts with passwords--maybe dozens of them? You might also have longer passphrases and four-digit PINs (Personal Identification Numbers) you can add to your list. We all have and use passwords, but just how strong are your passwords? How difficult are they for others to figure out? How about cybercriminals with password-cracking software that has no limit of patience for trying an infinite number of combinations? 

Many people are familiar with the popular, yet outdated, password guidance of using eight characters including a mix of upper and lower-case letters, and at least one special character and one number. However, this guidance is no longer suggested. Luckily, there are guidelines on how to create strong passwords and some tips to help you remember them.

The familiar eight-character rules are outdated because of the software that is now available to crack short passwords. Users also often use weak strategies to incorporate numbers and special characters, like starting with an old password and adding an ! at the end or tacking on a number that they increase by 1 each time they are required to change it. The National Institute of Standards and Technology (NIST) no longer recommends mandatory changing of passwords at a routine interval as it encourages these poor password behaviors that result in weak passwords when people know they have to change them soon (NIST, 2022). Instead, they encourage IT departments to compare passwords to lists of known compromised passwords or blacklisted passwords.

NIST has released updated guidelines for creating stronger passwords. Everyone in your school district should be following these guidelines--including you! You should model strategies for creating and maintaining strong passwords. The guidelines refer to two major characteristics of passwords that makes them stronger: 1) their length, and 2) the complexity of characters in sequence. NIST recommends that account holders use the longest password permissible on any given system. And never the same password twice!  

Longer passwords may be referred to as passphrases. Passphrases should be at least 14 characters long, but as noted above, can be much longer, up to 64 characters in some systems. Passphrases also follow the guidance of a mix of character types, some of which may be limited in different environments.

Below is a summary of NIST recommendations for creating strong passphrases in terms of things you should and should not do.

One strategy for creating a stronger password is to use a mnemonic device, such as an acronym that aligns to a phrase you can remember. For example, if you can remember the phrase, “I like to skate on Sundays,” you can start with the first letter of each word: IltsoS. Thats a little short, so you can sound out some words with more letters, like “to” could be “2,” and “skate” could become “sk8.” Your new password is Il2sk8oS, which meets the 8-character minimum. If you wanted a special character, you could replace “2” with the special character on that same key, “@.” Your password is now Il@sk8oS.

In order to generate stronger passphrases with more characters, consider using a combination of strategies. In addition to replacing characters, begin by combining several short words together. Four short words can easily equal 16 or more characters. For example, if you look around your room, you may see the following: desk, cup, pencil, mouse. You can combine those with a mix of cases as DeskCupPencilMouse. To remove any words, you can replace some of the letters with numbers and special characters to end up with De$kCu99enci!Mouzz. That’s an 18-character passphrase that is more secure.

Creating credentials that are easy for young children to use can be difficult. Credentials that use parts of students' names, like first.last@schooldistrict.edu, is a pattern that is easy for hackers or other students to guess. Using student IDs or parts of them, like the first five or last four numbers, as a password is also easy for other students to hack into, especially since student IDs can often be found throughout the school and online, in places like on student name badges, class rosters, and cafeteria logs. Finding a balance between security and what emerging literate students can feasibly understand and remember can be tricky. If possible, have students use the same guidelines for creating a stronger password and consider using a password manager.

You’re going to have plenty of passwords and account information to remember both in and out of your job. Check with others in your Department to see if they recommend password-manager software that can help you keep track of them. Password-manager software relies on your using one, strong, master password to access all of the account information you are responsible for. There are a variety of options, but look for one that can work with multiple devices, like a phone, in case you are in a place you can’t access a laptop. Most should be able to generate secure, lengthy passphrases incorporating random characters. Your Department may want to standardize on one platform in the case you need to share credentials with each other. Some options to review include Bitwarden, LastPass, Keepass, and Roboform.

The Consortium for School Networking (CoSN) provides suggestions for selecting the best password-management tool in their Cybersecurity Toolkit. These include:

• Consider an enterprise solution that allows IT staff to support end users who lose or forget their master password.
• The password manager should be easy to use across multiple devices and easily updates individual credentials.
• The password manager should use strong encryption.
• You may benefit from a password manager that recommends strong passwords to users.
• Because we use so many passwords to access online resources, a password manager that integrates with your approved browsers can be beneficial.
• Confirm that password databases are routinely backed up and can be restored when necessary.

Acting Responsibly

Not all users will have the same level of access to resources on your network. This makes sense. Students should have access to all of the resources they need to learn but should only have access to their own grades and performance records. Likewise, teachers may need access to additional types of resources to support their teaching but shouldn’t need access to financial or HR data. Then there are the people who run the network, who need access to even more information and resources. 

Your network will provide unique levels of access to different types of users based on an Access Control List (ACL). Different user types should be set to the minimum set of rights they need to conduct their work on your network.

While all staff, students, and other users of your network and devices have the responsibility to follow acceptable use guidelines, IT staff must take some extra steps when working, especially if a staff member has an Administrator account. Any time you are logged in as an Administrator, you should take extra care of what you do or which websites you visit and should limit your actions only to those necessary for that account. Administrative tasks are often completed on a designated device that is not used for email and has limited Internet access. If you log in as an Administrator on an unprotected device and inadvertently come across malware in an email, it could have disastrous consequences.

Administrator accounts have privileged access to accounts, processes, and systems on your infrastructure, such as installing software, shutting down systems, loading device drivers, configuring networks, and managing accounts. Your district may invest in a Privileged Access Management (PAM) solution not only to secure Administrator accounts but to change account passwords quickly when necessary. This can avoid the time-intensive task of manually updating numerous systems across your infrastructure, which may also introduce the potential for missing one and introducing a vulnerability.

Note that vendors may be asked to install equipment or applications on your infrastructure, such as switches or routers and applications to monitor them. Many new devices also come with weak administrator passwords. Administrator passwords for all new devices and applications should be changed, as the default passwords may be known by attackers. New devices should also be scanned to ensure their systems and applications are up to date. Follow guidance for creating strong passwords or passphrases, and never reuse them across devices. Multi-factor authorization is recommended to fully protect Administrator accounts.

Changing Credentials

If you are required to help users change their credentials, such as resetting a lost or forgotten password, be sure you understand the operational procedures adopted by your district. The password reset process can be a common source of cyberattacks and without following procedures correctly, you may unknowingly provide access to your infrastructure to a cybercriminal. 

Some districts and many online resources now use an automated password reset process that can require MFA and allow users to access their account immediately. An administrator may have to set this up for some services, like Microsoft or Google cloud-based services, or it may be configured on a mail server, such as Azure Active Directory self-service password reset.  If your district does not support this method, you may find yourself involved in the process when reset requests come in.

A critical step in changing credentials is verifying the person making the request. Multi-factor authorization can come in handy here, especially if your district uses smart cards or hardware for MFA. If not, you need to obtain some type of unique information about the person, such as an employee number, which may or may not be all that secure. Common secret questions like your mother’s maiden name and other information that is easy to find out about a person are poor methods of verification. You can call the user using their assigned district phone number, if they have one. In some districts, you may be required to personally visit a person and obtain identification, but this is obviously a time-consuming approach.

Once you have verified the user, you should know the steps required to securely reset an account, if that falls under your scope of work. One approach is to use a temporary password. If your district uses this approach, it can be strengthened by ensuring you use a unique temporary password each time. Reusing the same temporary password opens up your system to attack. The temporary password should be long, at least 14-16 characters and consist of random characters following guidelines for strong passwords.

Users should be notified of password reset requests, and your notifications should never include any of their credentials, such as their username or any past or current password. If you do have to use email to reset a password, hopefully your system can generate a unique password reset link that the user can use on their own. Verifying the user is critical before using this method. Reset links should be single-use only and should expire after a short time.
 

Here are additional resources you may find useful:

• Choosing and Protecting Passwords, Revised November 18, 2019. Cybersecurity & Infrastructure Security Agency.
• Digital Identity Guidelines: Authentication and Lifecycle Management from the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce
• CIS Password Policy Guide. Center for Internet Security®
• Supplementing Passwords, Released February 23, 2023. Cybersecurity & Infrastructure Security Agency.
• MFA Enhancement Guide. Cybersecurity & Infrastructure Security Agency.
• 2022 Data Breach Investigations Report. Verizon.
• How to detect and prevent a SIM Swap attack by Doug Bonderud for BizTech Magazine
• Tutorial: Enable users to unlock their account or reset passwords using Azure Active Directory self-service password reset. From Microsoft Learn
• Aligning Your Password Policy enforcement with NIST Guidelines on BleepingComputer by Specops, a self-service password reset service provider.

Complete the following task or self-assessment:

Take stock of your own password behaviors:

• Do you reuse passwords?
• Do you create strong passwords for every account you have?
• Do you have strong passphrases that are unique to every device and service you use?

Take time to clean up your own passwords and follow some of the guidance offered here.

Learn about your district's password management practices:

• Does your department recommend password-management software? If so, do you know how to use it correctly? If not, explore password-management software, whether presented here or suggested by a trusted colleague. Investigate the pros and cons and make a case to your supervisors whether it should, and if so, which software you recommend
• Know the standard operating procedures you must follow for keeping user credentials secure and, if necessary, changing them. Know the steps you must take to verify a user and how you can securely share their information before changing any aspect of their credentials.