Cyber Security in the Classroom
Originally published in TEACH Magazine, March/April 2019 Issue
By Adam Stone
Before Emilie Ritchen Elementary School in Oxnard, California adopted one-to-one digital devices, it was chaos. Multiple apps on multiple machines meant kids were always forgetting their passwords.
“You never knew if it was their birthday, their student number, or something a teacher created. It was a nightmare. The kids would literally sit there and do nothing because you couldn’t get around to all 30 students to get them logged in. We would give them their passwords on a piece of paper, but who knew where that would end up?” says one of the kindergarten teachers, Katherine Leppaluoto.
Password management can be a daunting classroom challenge for K-12 educators. Here we’ll look at some of the common issues that arise when it comes to getting kids logged in, and then take a deep dive into some of the more effective solutions for organizing and managing classroom sign-on plans.
When it comes to password management, kids and adults contribute equally to the problem.
“Children are far more trusting with their mobile devices and tend to share them along with their passwords to friends, without clearly understanding the risks they potentially expose themselves to,” explains Joseph Carson, chief security scientist at Thycotic, a Washington DC-based provider of access management solutions.
Teachers meanwhile may follow less-than-optimal practices themselves, such as writing down passwords or reusing passwords across multiple applications. “While they have more respect for both privacy and security, they tend to not be great role models for children when it comes to cybersecurity,” Carson continues.
For many teachers, it is sheer forgetfulness that muddles the daily log-in effort. At Linden School No. 1 in New Jersey, technology teacher Kimberly Bachmann sees it all the time. Students are supposed to use their ID and Microsoft email to log in (firstname.lastname@example.org), but for many, that’s just too much to deal.
“It’s long, they forget the @ symbol, they forget the dot or the spaces. Then it takes them 20 minutes to enter their passwords,” she explains. “They forget their passwords because they are case sensitive, so you constantly have to remind them. It can be two or three kids each time where you have to go and look up their passwords, and that takes away from instruction time.”
Bachmann works hard to sort this out at the start of the year, but by January new problems arise. “When new students come in the middle of the year, you have to get them an ID number, you have to wait for them to be assigned a Mac, and then you have to train them on the sign-in. You can’t just hand them a computer and assume they know what to do. It’s like September all over again,” she says.
When passwords are hard to manage, cybersecurity breaks down, and criminals come looking to see how they can benefit. “Researchers found that the education sector saw the largest year-over-year increase in email fraud attacks of any industry in 2018, soaring 192 percent to 40 attacks per organization on average,” explains Chris Dawson, threat intelligence lead for security firm Proofpoint.
Fortunately, there are a number of steps that educators and administrators can take to make password management easier for students and less burdensome for teachers, that ultimately will enhance the cyber posture of education across the boards.
Here we’ll take a look at a variety of strategies as suggested by educators and cybersecurity experts.
For Leppaluoto, the school district’s adoption of a one-to-one device policy has helped to tame the problem of password sprawl. “We’ve really streamlined it,” she says. “Prior to that we had two computer labs with about 40 computers in each lab and then in the classrooms we had three to six desktops. With one-to-one, the user name is their first name and the first letter of their last name, followed by a number depending on how many Jonathan Smiths we have in the district. The password is their birthday with the first three letters of the month and a two-digit day and a four-digit year.”
That stays constant and is therefore more easily remembered. “It’s good for all of their school district mandated apps, of which there are four to eight depending on the grade level. A lot of the teachers may also bring in their own apps and they will also use the default user name and password,” she explains. “It follows them for every year they are in the district, from kindergarten right on through.”
At Roosevelt Charter Academy in Colorado Springs, Colorado, LynDel Randash runs the computer lab and teaches K-5 reading. She strives to keep the password situation under control by giving kids an early introduction to computer hygiene and then drilling them until log-in becomes automatic.
“When school first starts, we focus on rules and procedures, and then we practice logging in and out repeatedly. By the middle of the year 90 percent off second-graders can log in without a problem,” she says.
To keep the drill from becoming tedious, Randash introduces an element of play. “We make it a game: The first group to get 100 percent login will get five minutes of game time at the end of the class. Then I just look at my computer, which has all of their screens on it. It shows me who gets there first and also who needs help: Okay, #41 isn’t logged in, who is that? And their partner will lean in and help them with whatever they need,” she explains.
Tame the Sharing
Good password management isn’t just about streamlining the sign-in process. It’s also about ensuring that kids resist that too-common temptation to share their online credentials with friends. One simple trick: Create a financial incentive for kids to keep mum, says Matt Vawter, a language arts teacher at Jennings County Middle School in Indiana.
“The students have a basic password to get logged in, which is related to their grade level—and their lunch code,” he explains. “Students are pretty good about not sharing their password with others because they know that if someone has their password, they essentially have access to their lunch account.”
Keep it Simple
For years the tech gurus encouraged us to make passwords fabulously complex—eight characters, upper and lower case, a number and a special character. For teachers, especially those who work with younger kids, that’s a formula for classroom chaos. “If they are very young and if they haven’t had much exposure to a computer, that is just a lot for them to remember,” LynDel Randash says.
She urges her kids to simplify their passwords. This means not just keeping them shorter, but also working within a format that will be easier to access when it comes time to log in. “I tell them: make the password something they can remember—something that has meaning to them, rather than just random numbers and letters. Then all it takes is a hint and they can usually get it again,” she explains. Think pet’s name or favourite food, for example.
At Jamf, a provider of Apple management solutions, Education Evangelist Sam Weiss is a big fan of Apple School Manager, a simple, web-based portal that can be used to deploy iPads and Macs in schools. “Every student can log in to an iPad with their own individual username and password, and all of their content follows as well,” he explains. “Students no longer need to remember which iPad is theirs. Simply grab any available device, sign in with your unique user name, and you’ll feel right at home.”
Password managers like LastPass perform a similar function. A user can enter a master identity and the manager will keep track of—and automatically populate—user names and passwords across a range of applications. Managers like this offer a handy fix in environments where students are required to manage multiple passwords across diverse devices and applications.
“A password management application will enable you to create unique, high-strength, randomly generated passwords for every website and application you use,” says Craig Lurey, CTO & Co-Founder of Keeper Security. “You don’t have to remember each individual password—just one master password.”
…But Not All Password Managers
While tools like LastPass are not bound to a single device, other password managers can be more limiting. Web browsers for instance will frequently offer to store a user’s credentials. This may seem convenient, but on shared machines it becomes problematic.
“When Chrome offers to save the password, I always tell the kids to say no,” Randash says. “I have six computer classes going through here every day, that’s like 300 kids, and you never want your password saved on something that someone else is going to use.”
Remember the Big Picture
When it comes to password management, convenient login is important, but that’s not the end game. In the big picture, a robust password management program is part of the larger effort to educate good cyber citizens.
“We spend five weeks on it at the beginning of school, talking about internet safety, safe places to visit on the internet. As part of that we talk about passwords and privacy,” Kimberly Bachmann says. “We want to teach them that changing your password is part of good digital citizenship, it’s how you keep your information protected. We want them to have these good habits when they start using the internet to buy things. That means we can’t just talk about it. We have to show them. We have to take them through the process.”
A seasoned journalist with 20+ years’ experience, Adam Stone covers education, technology, government and the military, along with diverse other topics.