155

I have a user account for each of my children in our district website, which oversees registration, grades, identification, etc.

I was recently sent home a form from both of my children's classrooms asking us to login to our accounts so we could sign a new school year form. Printed on this piece of paper was both the username and the password for our accounts.

The security practice of sending home printed passwords is immediately discouraging, but my larger concern is how my password is stored in the district system (and ultimately, what would happen if that system were compromised).

I want to contact the webmaster, but I want to make sure I'm correct in any assumptions I make prior to shooting off my email asking that action be taken to avoid this kind of thing. I saw a related question, and want to make sure I don't jump the gun on harassing them over their storage policies.

--

Since it's been asked several times, this is a password that I set on the account, not an auto-generated password. Also, this is an account that parents control; it contains sensitive identifying information of your child. It's not intended as a student portal or anything like that.

--

Update_1 :

I got a call from the district webmaster today, wanting to discuss my email in more detail. I explained my concerns were two-fold: (a) the transmission of our password on a printed piece of paper, and (b) the ability to retrieve that password in the first place.

I was informed that the system is a legacy system, and as such has no capability of allowing a "forgot my password" feature. While the policy, they agreed, is incorrect, the alternative is to have every parent who doesn't remember their password come into the school with an ID to retrieve their password. (I was also informed that since we're in a 60% poverty district, assuming all parents have an email address for password management isn't an option). While this is and incredible inconvenient, I explained the inconvenience of likewise having someone access my accounts because they had access to my password.

I was also informed that the system is being replaced next year, which will come with more modern security features (though, I'm unsure of the storage policies on the future system).

The lady was very polite, and offered to put me in contact with their director of IT to discuss my concerns around password storage policies, which I accepted. She also offered to BCC me on an email to our school principal, requesting that future communications be issued in a sealed format.

Finally, I was slightly (and correctly) scolded for reusing my password in the first place.

Improve this question
2
  • 1
    Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Commented Aug 26, 2018 at 14:22
  • 18
    Wow! That's about as good a response as you can hope for! I'm impressed!
    – Mike Ounsworth
    Commented Aug 28, 2018 at 18:50

3 Answers 3

Reset to default
256

Yup! If they are able to retrieve the password from the database, then they are clearly not following password storage best-practices. OWASP provides a good guide for how to do it properly:

Here's some ammunition you could use in that letter:

  • You want me (the legal guardian of my child) to sign a form.
  • You are using the action of logging into a website and clicking a button as a form of legal signature.
  • How do you know it was actually me that logged in and clicked the button?
  • How many people had access to the sheet with the username and password on its way to me? How can you prove that it was actually me that logged in and clicked the button?
  • Clearly the password is stored in the database in such a way that it can be retrieved by school board staff. How can you prove that it was actually me that logged in and clicked the button?
  • Were something to go wrong, I highly doubt that "signature" would hold up in court, meaning the form will not hold up in court. This seems like a liability issue for the school board and/or for me (depending on what's in the form).
  • Can I get a statement from the school board's legal team that this is ok?
Improve this answer
20
  • 97
    The list of points is incredibly helpful, and provides a clear logical path leading to the conclusion of this just isn't ok.
    – MrDuk
    Commented Aug 24, 2018 at 15:36
  • 8
    A plain-text password should exist in exactly one place outside the user's control. In the process that receives the encrypted version and generates the salted hash for comparison or storage. If the password itself is stored, encrypted or not, secured or not, in any form, any where, it is at risk from some form of attack. That includes on the user's system, but it's their risk, to their data, and they can choose to take risks as they see fit, while the website doesn't have that right.
    – user135823
    Commented Aug 24, 2018 at 19:11
  • 7
    @MontyHarder I'm specifically trying to stay away from attacking their IT practices because IT people are very good at making word-salad out of {firewall, encryption, admin-only, trusted-employee, etc} and believing their solution is good enough. That's why I presented a strictly lawyer-centric argument that the way they've built the system does not achieve the basic functionality of collecting a legally-binding signature.
    – Mike Ounsworth
    Commented Aug 27, 2018 at 18:48
  • 5
    Something something FERPA
    – Acccumulation
    Commented Aug 27, 2018 at 20:47
  • 3
    @AlexanderKosubek the world has a long history of accepting paper signatures as ... signatures, and a whole forensics industry around determining if a signature is fake. I don't think that's the same difference ...
    – Mike Ounsworth
    Commented Aug 28, 2018 at 10:42
23

NOTE: since the question was updated to specify that the password in question isn't used by the student, and was not a random initial password, the rest of this answer doesn't really apply. I concur with the other answers that parent passwords should be stored with standard salted-iterated-hash techniques. The obstacles that the school district will face in implementing this plan are much less than the equivalent for student passwords.

Speaking from experience inside K-12 information technology, I can tell you the situation is probably worse than you imagine.

Before you start to push for change, be aware that you are fighting a giant system, not a single school or district. There are some bright spots, it's basically a realm where standard security wisdom doesn't apply. Half the vendors haven't heard of any modern password storage options, or federated authentication. A lot of the students are too young to handle a password with any serious amount of entropy.

And most important of all, schools are nosier than any tin-pot dictatorship. Administrators want the ability to get into student accounts any time they think something might be wrong. The only way to do that, across all the services with their various outdated authentication schemes, is to know the password.

If you find yourself making your complaint to someone who's actually required to answer your questions, let me suggest a few:

  1. How many school employees have access to view student passwords?
  2. Is there any record showing how often a student's password has been viewed, and by which staff members?
  3. Is there any record of which staff members have used student passwords to log in to which student accounts, and which services they accessed?
  4. How many different databases within the school district contain copies of the (unencrypted, unhashed) student passwords?
  5. Are student passwords ever changed proactively (either after an expiration time or by the student on their own initiative) or do they remain the same forever, in the absence of a reported breach?
  6. Has there been a penetration test... on anything... ever?
  7. How many third parties (e.g. online textbook publishers) have been given a complete list of student passwords and/or full remote access to a database containing them?
  8. When considering the purchase of a new product or service that will involve student logins, are information security practices ever a factor in the decision?

Don't expect good answers. Expect bad answers, and plan your next move ahead of time.

And don't expect to surprise them with HIPAA and FERPA. They've heard of those, and their lawyer has probably already told them everything they're doing is fine.

Improve this answer
10
  • 21
    9. Do student records contain any health-related info? HIPAA violations can be very expensive.
    – WGroleau
    Commented Aug 25, 2018 at 3:11
  • 9
    "How many school employees have access to view student passwords?" Just an anecdote to highlight how important this first point is, I happen to know an older gentleman who, up until just a couple years ago, used his SSN as his password on just about everything. He had no idea that passwords can ever be cracked, so his reasoning was just use something he's already keeping a secret anyways. This or any other sensitive information might be in the password field, and if someone sees a plain text 9 digit number for a password... well you can imagine how awful this can be for unsuspecting parents.
    – Davy M
    Commented Aug 26, 2018 at 3:07
  • 3
    @DavyM That's exactly why storing passwords should be an offense punishable by kicking to the end of the perpetrators life - because some website run by incompetents will be publishing this gentleman's passwords.
    – gnasher729
    Commented Aug 27, 2018 at 13:37
  • 7
    There is no reason why staff members should use student passwords to log into student accounts. None. A properly-designed system can allow privileged ("Administrator" or "root") accounts to temporarily assume another account's identity with no need to know that account's password to do so, and log the fact that it happened, so no identity theft is thereby accomplished. If the system in question is not so-designed, then it's further evidence that the architects and administrators are Doing It Wrong™.
    – Monty Harder
    Commented Aug 27, 2018 at 18:43
  • 1
    If the system in question is not so-designed - I see you haven't worked in K12. Sometimes I think 'Doing it Wrong' is our slogan. But seriously, K12 funding usually sucks and there is lots and lots of software that sucks from a security stand point.
    – Zoredache
    Commented Aug 27, 2018 at 19:51
12

Is this a password that you entered, or is it a randomly generated initial password that you will have to change on the first login?

In the first case, this is a sign of absolutely terrible security practices that raises pretty much every red flag imaginable. This is a massive security hole and needs to be addressed immediately. Also, you should right now change this password everywhere else you use it (let's be honest, we all re-use passwords).

This also needs to be brought to the attention of whoever is responsible for information security at the school. Or the principle. Basically the person whose career is in danger if a breach happens and makes national news.

In the second case, this is SOP, nothing to see, move along.

Improve this answer
1
  • 3
    Comments clarify that it is your first case which applies. The delivery method "sent home from children's classrooms" implies that the letter was printed and handled by potentially several staff before being handed to the student to take home. I'd accept "nothing to see" if it'd been an auto-generated email announcement, possibly even "tolerable" if it'd been a snail-mail letter from the main office, but as it seems here, not even that's ok
    – user135823
    Commented Aug 25, 2018 at 14:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .