Tuesday, May 27, 2014

Passwords with elementary students

I am an elementary school computer teacher. I see 22 classes a week, grades 2-5. We use a Mac OSX server and Workgroup Manager (WGM) to create unique user accounts for every student. It is a great way to manage the lab, approve and disapprove program access, upgrade systems, and so forth.

A part of this is creating unique user accounts and unique passwords. I often get asked ho wI handle unique passwords with students so young, especially since they aren't logging in every day (I only see each class once a week).

Here is how I handle passwords...

Logging in to OS X Server, managed by WGM

Before students create passwords we do a lesson on coming up with a password, how to best meet the 4 criteria below, what "case-sensitive" means, and so forth. Their homework from that lesson is to go home and think of a password to create the next week. They are allowed to work with their parents on thinking of one, but not allowed to share it with anyone else.

The password criteria

  • Passwords have to be these 4 things:
    • Letters and/or numbers only
      • Capitals and/or lowercase allowed (case-sensitive)
    • Easy to remember
    • Something they can spell
    • Something they can keep secret

Leading up to creating their own passwords the grades look like this:

  • 2nd grade  - the letter "s" for the first few months to practice logging in, etc. When they do create a password it only has to be 4 characters (minimum)
  • 3rd grade - the letter "s" for the first few weeks. then 5 character (minimum) password creation
  • 4th grade - the letter "s" for the first week, then 6 character  (minimum)  password creation
  • 5th grade - the letter "s" for the first week, then 8 character  (minimum)  password creation

Preparing unique password lessons

We spend half a class period discussing passwords and how to create them, their importance, etc. The next period is when they create them. Once they choose their new ones I'll have them log-in and log-out a few times to make sure they know what their new password is. A slight quirk of the OSX server is that when a new password is created a pop-up prompt will appear asking the user about their Keychain. Choose the middle button, "Create new keychain." You won't see this box if they enter a password they've used previously.

After a vacation (Christmas, February, or Spring - depending on the year and requests for changes) I "force" a password change. When they log in the server prompts them to create a new password. They can re-enter their existing password if they want to keep it, or it is their opportunity to create a new one. With hundreds of students per grade it is tedious and time consuming to let students change it user by user, easiest to force the password change in bulk (but, again, no restriction on re-entering the existing one).

Periodically a student will forget and I will re-set it to "s" and make them create a new one at their next log-in. If a student forgets 3x I change their password to "iforgotmypassword" and make them use that for at least 2 log-ins. Then they can create a custom one (which they then rarely forget).

I don't have them write it down as a standard practice as I try to stress the importance of the 4 criteria above, and that a piece of paper can be shared/stolen/lost, etc. 

2-step verification for Google Apps for Education (GAFE) without a cell phone...

We are a GAFE school too, layered on top of our PS X server. Student GAFE passwords are 9 digit numbers which are kept using Stickies on their desktop, secured via the OSX server password. It's a cobbled-together version of 2-step verification for elementary school students. Not exactly 2-step, but the best we can do.

Why all this for students under 10?

I think it is extremely important to get students thinking about passwords and digital security as young as possible,. Will traditional passwords be around forever? Maybe not. Maybe biometrics will replace them. But at this point the multi-character password is the standard bearer, for better or worse. Requiring students to come up with their own passwords, passwords they need to remember and keep secret, is a great way to start the conversations and learning about the importance of keeping their information secure. As the grades go on the password requirements become stricter. My hope is that by the time they get to middle school they are completely comfortable with creating and remembering passwords and fully understand, and appreciate, the importance of keeping their information as secure as possible.

No comments:

Post a Comment