157

I have a user account for each of my children in our district website, which oversees registration, grades, identification, etc.

I was recently sent home a form from both of my children's classrooms asking us to login to our accounts so we could sign a new school year form. Printed on this piece of paper was both the username and the password for our accounts.

The security practice of sending home printed passwords is immediately discouraging, but my larger concern is how my password is stored in the district system (and ultimately, what would happen if that system were compromised).

I want to contact the webmaster, but I want to make sure I'm correct in any assumptions I make prior to shooting off my email asking that action be taken to avoid this kind of thing. I saw a related question, and want to make sure I don't jump the gun on harassing them over their storage policies.

--

Since it's been asked several times, this is a password that I set on the account, not an auto-generated password. Also, this is an account that parents control; it contains sensitive identifying information of your child. It's not intended as a student portal or anything like that.

--

Update_1 :

I got a call from the district webmaster today, wanting to discuss my email in more detail. I explained my concerns were two-fold: (a) the transmission of our password on a printed piece of paper, and (b) the ability to retrieve that password in the first place.

I was informed that the system is a legacy system, and as such has no capability of allowing a "forgot my password" feature. While the policy, they agreed, is incorrect, the alternative is to have every parent who doesn't remember their password come into the school with an ID to retrieve their password. (I was also informed that since we're in a 60% poverty district, assuming all parents have an email address for password management isn't an option). While this is and incredible inconvenient, I explained the inconvenience of likewise having someone access my accounts because they had access to my password.

I was also informed that the system is being replaced next year, which will come with more modern security features (though, I'm unsure of the storage policies on the future system).

The lady was very polite, and offered to put me in contact with their director of IT to discuss my concerns around password storage policies, which I accepted. She also offered to BCC me on an email to our school principal, requesting that future communications be issued in a sealed format.

Finally, I was slightly (and correctly) scolded for reusing my password in the first place.

MrDuk
  • 1,237
  • 2
  • 8
  • 10
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/82262/discussion-on-question-by-mrduk-if-my-password-was-able-to-be-printed-on-a-form). – Rory Alsop Aug 26 '18 at 14:22
  • 18
    Wow! That's about as good a response as you can hope for! I'm impressed! – Mike Ounsworth Aug 28 '18 at 18:50

3 Answers3

257

Yup! If they are able to retrieve the password from the database, then they are clearly not following password storage best-practices. OWASP provides a good guide for how to do it properly:

Here's some ammunition you could use in that letter:

  • You want me (the legal guardian of my child) to sign a form.
  • You are using the action of logging into a website and clicking a button as a form of legal signature.
  • How do you know it was actually me that logged in and clicked the button?
  • How many people had access to the sheet with the username and password on its way to me? How can you prove that it was actually me that logged in and clicked the button?
  • Clearly the password is stored in the database in such a way that it can be retrieved by school board staff. How can you prove that it was actually me that logged in and clicked the button?
  • Were something to go wrong, I highly doubt that "signature" would hold up in court, meaning the form will not hold up in court. This seems like a liability issue for the school board and/or for me (depending on what's in the form).
  • Can I get a statement from the school board's legal team that this is ok?
Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
  • 96
    The list of points is incredibly helpful, and provides a clear logical path leading to the conclusion of _this just isn't ok_. – MrDuk Aug 24 '18 at 15:36
  • 8
    A plain-text password should exist in _exactly_ one place outside the user's control. In the process that receives the encrypted version and generates the salted hash for comparison or storage. If the password itself is stored, encrypted or not, secured or not, in any form, any where, it is at risk from some form of attack. That includes on the user's system, but it's their risk, to their data, and they can choose to take risks as they see fit, while the website doesn't have that right. –  Aug 24 '18 at 19:11
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/82305/discussion-on-answer-by-mike-ounsworth-if-my-password-was-able-to-be-printed-on). – Rory Alsop Aug 27 '18 at 14:44
  • You might even add to the 5th point that an attacker who breaches their security and captures their database now has everyone's passwords and can impersonate them with impunity. And if they're storing passwords, a violation of industry best practices, they're probably violating others, making that breach far from a remote possibility. – Monty Harder Aug 27 '18 at 18:40
  • 7
    @MontyHarder I'm specifically trying to stay away from attacking their IT practices because IT people are very good at making word-salad out of `{firewall, encryption, admin-only, trusted-employee, etc}` and believing their solution is good enough. That's why I presented a strictly lawyer-centric argument that the way they've built the system does not achieve the basic functionality of collecting a legally-binding signature. – Mike Ounsworth Aug 27 '18 at 18:48
  • 5
    Something something FERPA – Acccumulation Aug 27 '18 at 20:47
  • 1
    Also, uh, if they're printing a form for the child to take home *in order to collect a signature*, they could... just put the signature on that form... – Riking Aug 27 '18 at 22:25
  • @Riking And how would they know, that the form was signed by a parent? Same difference... – I'm with Monica Aug 28 '18 at 06:04
  • 3
    @AlexanderKosubek the world has a long history of accepting paper signatures as ... signatures, and a whole forensics industry around determining if a signature is fake. I don't think that's the same difference ... – Mike Ounsworth Aug 28 '18 at 10:42
  • Just to mention the obvious -- any of the IT staff (i.e. effectively anybody with admin/root access) could obtain sensitive information regarding the OP's child. They could also probably enter "his" fake consent into the database (and, if needed, fake a log file trail of his IP address connecting etc. for plausibility). The teachers have all kind of sensitive information about the OP's child, independent of any IT. **If you don't trust the staff, all flood gates are open.** If the IT infrastructure is compromised the OP's account would likely be accessible by intruders, clear text PW or not. – Peter - Reinstate Monica Aug 28 '18 at 13:42
  • **The only thing protected by an encrypted password storage are -- the passwords.** Just don't use your banking password elsewhere. – Peter - Reinstate Monica Aug 28 '18 at 13:44
  • @PeterA.Schneider It is possible to build systems with good audit logging such that faking an audit trail is considerably more difficult than just inserting an entry into the database. But point taken; rogue admin attack is _probably_ out of scope here. – Mike Ounsworth Aug 28 '18 at 13:49
  • @GypsySpellweaver Depending on how the password is encrypted/hashed, it is conceivable to not store it at all: by encrypting/hashing char by char. [Although partial encryptions/hashes may be also unsafe?] – Pablo H Aug 28 '18 at 14:11
  • @PabloH Yeah I wouldn't do that; if you publish a hash of each letter then I can guess one letter at a time (only ~100 possibilities per letter) vs one hash for the entire password where I need to guess the whole thing in one shot (trillions of possibilities to guess) – Mike Ounsworth Aug 28 '18 at 14:18
  • @MikeOunsworth Re "point taken": Well, then some of your bullet points are not valid (or rather, do not depend much on encrypted password storage). Encrypted or not, staff can fake consent, so a database entry is no proof -- you would need something digitally or manually signed *by the OP* for reasonable proof, probably also in court. Admittedly the number of staff able to access the data is smaller with encrypted PWs though, so I take the point that the risk is smaller with encryption. – Peter - Reinstate Monica Aug 28 '18 at 14:41
  • 1
    @PeterA.Schneider 1) The best practice is to hash passwords. How did encrypted passwords get into this discussion? 2) I think you and I are ultimately making the same point: this solution doesn't seem like it would hold up in court as a "signature". I'd like to hear from their legal team about how they justify that is ok. As I've said above, my approach here was explicitly to stay away from attacking IT / technical (because as your comment shows, you get into a tangle of technical arguments), but instead argue about the legal def'n of "signature". – Mike Ounsworth Aug 28 '18 at 14:47
  • 2
    Honestly, I would take this to a local paper – Azor Ahai -him- Aug 28 '18 at 16:19
  • 1
    I haven't seen anybody bring this up, and it seems important. OP stated it was a parent's account, not the child's account. There is one person we **know** had access to the password...the child! That seems like a really bad thing if the parent account is where the parent approves activities, acknowledges report cards, etc. The kid could never deliver the form, and simply take over control of the parent account. –  Aug 28 '18 at 18:39
  • 2
    If you're interested, I added an update including the conversation I had with the district webmaster. – MrDuk Aug 28 '18 at 18:47
  • "If they are able to retrieve the password from the database, then they are clearly not following password storage best-practices" > Indeed, but are they able to do that ? The mail could actually be generated at the very same time the password is generated (so still not hashed), although I admit it is very unlikelu. – Laurent S. Aug 29 '18 at 12:01
23

NOTE: since the question was updated to specify that the password in question isn't used by the student, and was not a random initial password, the rest of this answer doesn't really apply. I concur with the other answers that parent passwords should be stored with standard salted-iterated-hash techniques. The obstacles that the school district will face in implementing this plan are much less than the equivalent for student passwords.

Speaking from experience inside K-12 information technology, I can tell you the situation is probably worse than you imagine.

Before you start to push for change, be aware that you are fighting a giant system, not a single school or district. There are some bright spots, it's basically a realm where standard security wisdom doesn't apply. Half the vendors haven't heard of any modern password storage options, or federated authentication. A lot of the students are too young to handle a password with any serious amount of entropy.

And most important of all, schools are nosier than any tin-pot dictatorship. Administrators want the ability to get into student accounts any time they think something might be wrong. The only way to do that, across all the services with their various outdated authentication schemes, is to know the password.

If you find yourself making your complaint to someone who's actually required to answer your questions, let me suggest a few:

  1. How many school employees have access to view student passwords?
  2. Is there any record showing how often a student's password has been viewed, and by which staff members?
  3. Is there any record of which staff members have used student passwords to log in to which student accounts, and which services they accessed?
  4. How many different databases within the school district contain copies of the (unencrypted, unhashed) student passwords?
  5. Are student passwords ever changed proactively (either after an expiration time or by the student on their own initiative) or do they remain the same forever, in the absence of a reported breach?
  6. Has there been a penetration test... on anything... ever?
  7. How many third parties (e.g. online textbook publishers) have been given a complete list of student passwords and/or full remote access to a database containing them?
  8. When considering the purchase of a new product or service that will involve student logins, are information security practices ever a factor in the decision?

Don't expect good answers. Expect bad answers, and plan your next move ahead of time.

And don't expect to surprise them with HIPAA and FERPA. They've heard of those, and their lawyer has probably already told them everything they're doing is fine.

anon-insider
  • 231
  • 1
  • 3
  • 21
    9. Do student records contain any health-related info? HIPAA violations can be very expensive. – WGroleau Aug 25 '18 at 03:11
  • 9
    "How many school employees have access to view student passwords?" Just an anecdote to highlight how important this first point is, I happen to know an older gentleman who, up until just a couple years ago, used his SSN as his password on just about everything. He had no idea that passwords can ever be cracked, so his reasoning was just use something he's already keeping a secret anyways. This or any other sensitive information might be in the password field, and if someone sees a plain text 9 digit number for a password... well you can imagine how awful this can be for unsuspecting parents. – Davy M Aug 26 '18 at 03:07
  • 3
    @DavyM That's exactly why storing passwords should be an offense punishable by kicking to the end of the perpetrators life - because some website run by incompetents will be publishing this gentleman's passwords. – gnasher729 Aug 27 '18 at 13:37
  • 7
    There is no reason why staff members should use student passwords to log into student accounts. None. A properly-designed system can allow privileged ("Administrator" or "root") accounts to temporarily assume another account's identity with no need to know that account's password to do so, and log the fact that it happened, so no identity theft is thereby accomplished. If the system in question is not so-designed, then it's further evidence that the architects and administrators are Doing It Wrong™. – Monty Harder Aug 27 '18 at 18:43
  • 1
    `If the system in question is not so-designed` - I see you haven't worked in K12. Sometimes I think 'Doing it Wrong' is our slogan. But seriously, K12 funding usually sucks and there is lots and lots of software that sucks from a security stand point. – Zoredache Aug 27 '18 at 19:51
  • 1
    @Zoredache I have sisters who have taught K-12 though. Open-source solutions literally don't cost a penny, so the lack of funding is no excuse. And the open-source developers are often the ones pushing more secure approaches. Usually, it comes down to ignorance, often with more than a little arrogance. – Monty Harder Aug 27 '18 at 21:44
  • @MontyHarder see question #8, where the usual answer is No. First the salesmen show a product to teachers, principals, etc. (nobody who will think about any of the issues discussed here). After a commitment to buy the product is made, the IT department is instructed to set it up. It's too late to stop it, no matter how Wrong and ignorant the setup is (i.e. #3, #7). – anon-insider Aug 28 '18 at 02:16
  • @anon-insider Well, my lack of K-12 experience is no impediment to recognizing that particular scenario. I've seen it in the corporate IT world far too often, in fact. Vendor sells New Shiny Thing to the dept. that will use it, then someone on my team has to figure out how to actually make it work. But when necessary, I can always count on someone in InfoSec to play Bad Cop (so I don't have to) and say "no, you're not doing it that way". – Monty Harder Aug 28 '18 at 13:57
  • @anon-insider Doesn't match my experience with this. It is usually decided by only admin and IT, teachers are out of that loop. Also IT is often outsourced with a ludicrous contract, don't do anything right, take the money and provide 0 knowledge transfer for the next IT company taking over when the school district is finally fed up with their current one. But my experience is of Michigan, where the entire education system is being sold up the river to for profit charter "schools." – ttbek Aug 28 '18 at 14:01
  • When I was teaching in a high school a couple years ago I knew a teacher who carried around the XP password hack on a flash drive because IT was only available once a week, and the computers didn't have standard passwords at all. Open source software is free, but you need _someone_ to implement it. – Nathan Hinchey Aug 28 '18 at 18:12
12

Is this a password that you entered, or is it a randomly generated initial password that you will have to change on the first login?

In the first case, this is a sign of absolutely terrible security practices that raises pretty much every red flag imaginable. This is a massive security hole and needs to be addressed immediately. Also, you should right now change this password everywhere else you use it (let's be honest, we all re-use passwords).

This also needs to be brought to the attention of whoever is responsible for information security at the school. Or the principle. Basically the person whose career is in danger if a breach happens and makes national news.

In the second case, this is SOP, nothing to see, move along.

Tom
  • 10,201
  • 19
  • 51
  • 3
    [Comments](https://security.stackexchange.com/questions/192244/if-my-password-was-able-to-be-printed-on-a-form-sent-home-from-my-childs-school#comment380340_192244) clarify that it is your first case which applies. The delivery method "sent home from children's classrooms" implies that the letter was printed and handled by potentially several staff before being handed to the student to take home. I'd accept "nothing to see" if it'd been an auto-generated email announcement, possibly even "tolerable" if it'd been a snail-mail letter from the main office, but as it seems here, not even that's ok –  Aug 25 '18 at 14:37