The Classroom Common Password Faux Pas

There is nothing more frustrating than trying to get a class of Grade 1s to log into a computer. These little ones who barely know how to spell their first name are being asked to type a UserID that is often a combination of first and last names. Then they enter their randomly generated password, an assemblage of letters and numbers that do not resemble anything in the English language (although, every now and then the randomly selected letters spell a word, and that word is something a child shouldn’t know how to spell). Every spelling mistake, every error, increases the amount of time a student is not on task and increases the level of frustration. One solution seems to be to standardize the students passwords, so that every kid in the class has the same one. This way, the teacher knows everyone’s password and can easily help a student who is struggling to log in or forgot the password.

Although this classroom management tip may speed up the login process, it actually quite risky regarding the security of information and it misses an opportunity to teach digital citizenship.

Security of Information

Most school districts (including EPSB) have adopted single-sign-on policies. This means that you only need one UserID and password to get into all district applications and documents. Given that the formula for the UserID is both standard (eg. j.doe) and published (in Google Contacts). If everyone has the same password, any student could easily access all the records of another student. While this might seem very improbable for the grade 1s to figure out, it creates opportunities for other risky situations.

One thing we are noticing is that students aren’t changing their passwords. Our data has shown that if a grade 1 teacher had a common password for a class, many of those students will still have the same password in grade 6. Also, sometimes that password is written on the board or in a public space for the grade 1s to be able to easily see. This makes it easy for anybody in the school who has figured out the UserID formula to be able to log in as any one of those students in the class.

Granted, identity theft among students is not rampant or overly problematic. It is easy enough to deal with those we catch on an individual bases. However, another bi-product of the common password is the cloak of anonymity. The following true case study will explain the term:

A student in Grade 2 created a Google Doc with his school account and shared it with his buddies’ school accounts. The Doc was used to post links to websites he liked and was not intended for the teacher. Eventually, one student typed a bad word, which led to another student adding a worse word, which lead to yet another student adding pictures of women in underwear. ¬†Using the Revision history of the Google Doc, we were able to find which student added the inappropriate content. When confronted, his response was “You can’t prove it was me. We all have the same password.”

Truthfully, I am a little impressed at the students cheeky cleverness. Unfortunately, however, this story is not uncommon. My department has received a number of similar reports, thus the impetus for this post.

Teaching Digital Citizenship

Mike Ribble has included Digital Security (Self-Protection) as one of his Nine Elements of Digital Citizenship. He states “As responsible citizens, we must protect our information from outside forces that might cause disruption or harm.” It is never too early to teach our students that they can take ownership of their own digital safety. It is worth taking the time to show our students how to manage passwords as well as show them how to protect their data. Here are some classroom tips that may help:

  1. Have students change their password at the beginning of the school year. It is good practice to change passwords at least every school year or new semester. Help students get used to this by starting the year with a new password.
  2. For younger students, use word wall words. Have students pick a word from the word wall. Some passwords may require five or more digits, so you may have them also choose a number they can see in the room.
  3. For older students, teach them some password tricks. There are many ways to create strong passwords (see WikiHow – How to create a password you can remember). Using a new approach each year would teach students a wide variety of techniques that they could apply outside of school. I like the suggestion to use Mnemonics – connect the first letters of a sentence (The only thing we have to fear is fear itself = totwhtfifi. Throw in some capitals and numbers and Bob’s your Uncle)
  4. If you have Chromebooks and students who have trouble remembering both the user name and the password, give them the same Chromebook each time. A Chromebook remembers the login ID of the last nineteen people who used it (it does not remember their password). Students can use a picture of themselves or an icon they recognize and would then only need to select their icon and enter the password to log in. That way, they really only have to memorize one thing.
  5. Find out where you can access or change your students passwords. Students school accounts are not owned by the students and teachers have the right to access them (and it is important for them to know this). Most Districts have systems in place to assist teachers in helping studetns get logged in or change their passwords.

Its not easy teaching digital citizenship to our students. Often it involves skills we have yet to learn ourselves. However, it is important our classroom practices align with good digital citizenship practices.