Creating, remembering, using and protecting passwords. It’s all part of everyday life but are you and your students managing passwords well?
Poor password management can lead to minor annoyances, like someone changing your blog theme, to life changing issues, like identity theft.
The divisions between your online and offline world are blurring and many of your most valuable possessions and information are now housed online. So much of what we do online is password protected, from your blog to your email, bank account, social media and more.
The advice around passwords has recently been updated and while there are varying opinions, this post will help you learn about the current best practices.
What do students need to know about passwords?
Password management is part of being an informed and safe digital citizen.
Students need to know:
- what a strong password is
- how to create a strong password
- how to remember passwords
- how to keep passwords safe.
These are skills educators need to model and teach.
Compromised passwords
Two of the main ways you could end up in trouble with a leaked password are:
- Someone you know finds your password (perhaps written down) or you tell it to them.
- Password cracking software, which is used exponentially by hackers, guesses your password.
Here at Edublogs, the first option is almost always the culprit. Students are often tempted to share passwords or leave them visible to others. This is something that could be reduced with education.
The traditional advice is outdated
Most of the websites you visit ask you to create a “complex password” by using a combination of uppercase, lowercase, numbers and symbols.
This advice is based on the work of Bill Burr who published a guide in 2003 on how to create secure passwords. The guidelines were adopted by many government organisations and corporations around the world.
Bill Burr recently made headlines when he admitted these guidelines are now flawed.
The problem with these complex passwords is they are difficult for people to remember and easy for computers to guess.
The Washington Post reports on the emerging best practices in password management.
Now, a new standard is emerging for passwords, backed by a growing number of businesses and government agencies — to the relief of computer users everywhere. No longer must passwords be changed so often, or include an incomprehensible string of special characters. The new direction is one that champions less complexity in favor of length.
Passwords that once looked like this: W@5hPo5t!, can now be this: mycatlikesreadinggarfieldinthewashingtonpost.
Random numbers and symbols can be strong passwords. The problem is, random passwords which are short enough to remember can probably be guessed by computer software. And longer random passwords are difficult to remember. This means users will be more likely to resuse and/or write the passwords down. Both of these strategies are not secure practices!
Software is less adept at guessing a long random string of words. This is called a passphrase.
The experts at WordPress.com tell us that a modern approach is now required and there are two choices.
The best option is to use a password manager. The second best option is to use a passphrase. Let’s take a look at both options.
Password managers
Password managers might not be suitable for younger students, but could certainly be tools teachers can adopt.
What is a password manager?
A password manager is software installed on your computer that allows you to have one master password. The software stores and encrypts all your passwords and login information for the various websites you frequent. You can then access those sites by simply entering your master password.
Why is a password manager the best option?
Most people would consider something like this to be a strong password:
<86=9_06aeUn^hnq$#yrBb!ajwZMwkh%kAEAh@367!
It is a lengthy combination of letters, numbers and symbols.
We know it’s important to have a different password for all of your accounts in case one password is compromised (you don’t want hackers to be able to access all of your accounts if they obtain the password for one).
Obviously, it isn’t practical to have a different password like the example above for every site you visit. Unless you have a photographic memory, you’d never be able to remember them all!
With a password manager you can have a unique, long and complex password for all of your favourite sites.
Once your password manager is set up, you only need to remember your master password to gain access to all of your online accounts. Your password manager can also help you generate strong passwords for individual sites.
How to set up a password manager
- When it comes to password managers, there are two choices: free or paid.
- Assuming you want a free option, you can compare some of the key features of the major players in the market on PC Mag.
- One free option that is highly recommended by various sources is called Last Pass 4.0. This manager can be used in your browser or on your mobile device.
- If you want to try Last Pass, simply go to www.lastpass.com to register, and follow the prompts to install the browser extension.
- Next you will need to choose your master password. You can make this a passphrase following our advice below.
- Once Last Pass is set up, you can then add existing passwords and other personal information to your ‘vault’. You can enter your existing passwords manually or just add them as you’re browsing and accessing sites in the future.
- If you want extra protection, managers like Last Pass also offer the option of two-factor authentication. This involves adding a second step to your login process such as a code received via an app on your phone.
- The Last Pass website offers extensive help guides and tutorials. Remember, Last Pass is just one option and we advise you to choose the one that best suits your needs.
- When you have your password manager set up, you need to make sure you dispose of any passwords you have written down in a notebook etc. It’s not worth the risk!
Passphrases
To comply with current best practice and ensure you’re safe online, it is essential that educators are familiar with passphrases and teach their students about them.
What are passphrases?
Passphrases are simply a sequence of words or text strung together. For example:
CrinkleSydneyAsparagusBelonging
Why are passphrases better than traditional passwords?
Passphrases are usually longer than passwords which make them harder to guess. They also usually contain whole words (or variations of words) which make them easier to remember. This means you’re less likely to need to write them down.
Passphrases can have spaces between the words (although many sites won’t allow you to choose a password with spaces). The words in passphrases can make grammatical sense, or they might be nonsensical. Random is usually your best bet for security reasons. Avoid dictionary words for added security.
How to create a passphrase
- Come up with four or more words such as mysterious triangle bingo nurse
- Avoid using personal information or well known quotes or song lyrics (these can be easily guessed).
- Add some uppercase letters, symbols or numbers if you wish eg. #MYsteriousTr1angle=Bin.go.nur5e
- Avoid making the passphrase too complex when you add the punctuation and numbers. It’s important that you can still remember it.
Application in the classroom
Now you have an understanding of password management, it’s time to consider how this advice could be applied in your class. Here are some ideas:
- Passphrases. Teach your students about creating passphrases. Have them practice creating mock passphrases. Discuss their suitability as a class. Perhaps you might like to come up with some mock passphrases yourself and have students sort them on their strength. Tip: Last Pass offers an online tool to check the strength of your password.
- Select. When students have an understanding of passphrases, have them change their password on their blog and other sites to a strong passphrase.
- Dos and Don’ts. Display the poster below in your classroom and consider sending a copy home with students. Alternatively, why not have students create their own posters or bookmarks with tips about password management?
- Educate. Good password management is a topic worth spreading the word about. Perhaps students could make videos, slideshows or infographics to display on blogs? There are probably many other teachers, students, parents or community members who would like to learn how to be safer online.
- Privacy. Often the main issues for students when it comes to passwords is they’re tempted to share them with friends or siblings. Regularly stress the importance of avoiding sharing this information with anyone except parents and teachers.
Dos and Dont’s
Enjoy this free download for your classroom! Perhaps you could print off a few copies for your colleagues?
More advice
This two minute video by Sophos has some good advice that you could share with your classroom community.
Can’t see the video? View it directly on YouTube.
Changes are coming
The National Institute of Standards and Technology (NIST) in the USA has recently approved updated guidelines around passwords.
These changes focus on removing:
- periodic password change requirements
- maximum length limitations
- requirements around having uppercase letters, numbers and symbols.
No doubt these guidelines will trickle into password requirements worldwide. Change can be slow, but we are in a position to follow the best practice recommendations as closely as we can in our own lives and classrooms.
Do you have any additional advice about passwords and passphrases?
How do you teach password management in your classroom?
Hi Kathleen,
I think i should draw your attention to the service haveibeenpwned.com. This service allows anyone to check to see if their email account, or password has ever been obtained by hackers in one form or another.
Secondly I do worry about the lack of guidance we give students and to be honest adults as well in terms of choice of their usernames. Many students often put in their first and last names on the internet by default because that’s what they are told to do. Their entire lives are starting to be tracked (fairly easily too) and one post when kids are in their early teen years could have a profound effect on the rest of their lives.
Hey there,
Thanks so much for taking the time to comment and add your insights.
I tried out the service you mentioned and I had to say I was shocked to find there were a few incidents with my email address (more for my education one than my private one interestingly!).
Excellent point about usernames too. This issue is probably overlooked sometimes and a lot of the attention is placed on passwords. Thanks for pointing this out. Perhaps this warrants a follow up post on digital footprints!
Thanks again,
Kathleen
Another useful post Kathleen. An interesting alternative in the password manager arena is LessPass (https://dougbelshaw.com/blog/2017/07/06/lastpass-to-lesspass/). What I like about it in regards to students and schools is that there is no data stored. Fine you would have to push out the extension or download the app, but there is no need to sign in.
Hi Aaron,
Thanks very much for the info and link about LessPass. This is great to know and it’s really good for educators to look at different options. It sounds like LessPass is definitely worth checking out!
Thanks,
Kathleen
I use a third approach. I dislike the risk of password managers being hacked, and far too many web sites have yet to implement passphrases. This third approach goes like this:
– All my passwords are a minimum of 12 characters, meaning that they take at least 300 years for current hacking techniques to be effective.
– The first part of the password is related to the service that I use, and I can usually either remember it or work it out from the name of the service. Failing all else, I also have those first parts stored in an unencrypted file.
– The remainder of the password is stored *only* in my head. I use it so often that I am extremely unlikely to forget it, ever.
This also avoid the risk of having a single passphrase for all services, which is itself a weakness that is susceptible to all sorts of attack.
@philhart
Hi Phil,
Thank you so much for taking the time to explain your strategy. I’m sure it’s one that will be useful for many people. When it comes to passwords, we really can’t underestimate the importance of people being able to remember passwords. That detail outweighs many factors so hopefully your ideas help.
Thanks,
Kathleen