On May 12 Boca News Now reported that a second grader hacked Palm Beach County School District’s student password system. This isn’t the first time a Florida school system has had problems with security. In 2018 Florida Virtual Schools “left the door open”, resulting in a breach of sensitive student and teacher information.
How useful is it to put a lock on an open gate or leave a key hanging in a locked door?
I warned Florida’s Department of Education about password problems in 2018. What action was taken to protect our children? Below is an excerpt from the document I sent in 2018 to the Florida Department of Education (both Commissioner Stewart and Commissioner Corcoran later in 2019), the Governor’s office (under Governor Rick Scott), and Hillsborough County Public School’s (HCPS) Superintendent Eakins. The excerpt includes concerns about security and authentication practices. In the fifth point I expressed concerns that this “…means young children’s [personally identifiable information] PII stored by the district in these systems is vulnerable to hacking”.
The bottom line: some Florida school districts have been creating and/or encouraging easily hackable passwords for very young children, and then impairing parents’ ability to create more secure passwords.
My experience with Hillsborough School’s default passwords and the recent limitations I faced to make passwords secure is shockingly similar to what Boca News Now reported about their district. This year I was prohibited from changing an insecure password for a young child without getting an administrator to do it for me. This meant I either had to email the new password, hand it to the administrator (both bad ideas), or go into the administrator’s office (not a teacher) and type it into his PC, each and every time I wanted to change the password. The error message we received when recently trying to reset a password for a child in grades PK-3 is pictured below.
Students have been guided (in school) to create bad passwords and use real answers to security questions that are easy for a stranger to figure out (e.g. what is your dad’s name). Unless you change those credentials, that is how they will remain according to the school district’s IT helpline.
For another child (not in the PK-03 self-service lockout), it appears school personnel helped setup security questions without notifying me or providing me with the security questions selected. Personal knowledge of the security questions/answers was non-existent. The password reset tool requires you have the answer to at least one security question. Thus the ability to help authenticate my own child and change/secure my own child’s password was in the hands of a third party—whoever set up the security questions (i.e. not the parent).
A young child should not be creating answers for security questions without parental knowledge. A child’s answers to questions like “What is your favorite game?” can change day to day. Thus, three months later there is little recall of the correct answer. We were unsuccessful in performing a password reset on the first attempt. We later discovered the third security question was easily answered by us, but also by anyone who knew fairly public information about my child. Changing answers to selected security questions required a call to the district for a security question reset.
Our passwords either setup at school or by the school district (both without my knowledge), were similar to using “admin”, easy to hack and not secure. Every password that has come home from school in recent memory was on a piece of scrap paper, without any other information like: what account(s) it provides access to, who set up the account, whether anyone guided the creation of the bad password (e.g. use your favorite color and your favorite number), where to go to secure the password, etc.
The password “admin” is a common default and is “probably the first one an attacker would guess”. According to Yahoo, a class action lawsuit filed against Equifax over their data breach claimed “Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,”. The article also reported the court said: “Equifax’s cybersecurity was dangerously deficient”.
Security questions exist to help authenticate a user by asking questions that only the user should be able to answer; this is affirmed by the following quote from the US Department of Education:
“It is important to remember that authentication factors like PINs, passwords, and security tokens are only effective if the user is the only party who knows this information or possesses the token… No agency officials should be able to recover passwords or security tokens for any reason.”
Speaking to the importance of creating and securing strong passwords, especially for your child’s educational web applications, is Verizon’s annual Data Breach Investigations Report (DBIR). This publication is a favorite among some in the cybersecurity industry. On May 19, Yahoo reported that Verizon’s 2020 DBIR “…highlighted a year-over-year two-fold increase in web application breaches, to 43 percent, and stolen credentials were used in over 80 percent of these cases – a worrying trend as business-critical workflows continue to move to the cloud [emphasis added].”
School districts should ensure passwords are protected. Years ago I discovered HCPS’ student default password conventions were shared on a popular social media platform over and over again by a trusted vendor.
Parents should help their children reset student passwords to something that follows reputable guidelines. The National Cyber Awareness System provides some “Dos and dont’s” for creating passwords.
The National Institute of Standards and Technology (NIST) published the Digital Identity Guidelines, summarized in Naked Security. The article notes that you [the institution] should “Check new passwords against a dictionary of known-bad choices”, and “NIST says you should allow a maximum length of at least 64 [characters]”.
The district password limit is 12 characters–discovered when I tried to use a 20 character password that the system rejected. While the district might not need a 64 character maximum, a character length longer than 12 might come in handy when people want to use long passphrases with randomness. Children will likely remember a long random passphrase better than a completely random 10 character password.
The response to my documented concerns over password security and authentication from Florida’s Department of Education in 2018 is nearly identical to that received from Commissioner Corcoran’s office in 2019; a brush-off that looked like a form letter:
“…The concerns you have expressed are most appropriately addressed with your local school district officials We certainly appreciate you sharing your concerns with the Commissioner and hope that you are able to have a productive conversation with the local school district about your concerns and reach an amicable solution.”
The response I received (to the 2018 document) from Hillsborough County School District: nothing.