The title says it all, please for the love of children, turn off password expiry on your students’ accounts. Here’s why…
I was an Information Security (Infosec) consultant before I was a teacher. The prevailing wisdom up in the 20th century was that passwords should expire regularly, so that any compromised password quickly became useless. The password-thief would lose access once the rightful owner changed their password. This made sense at the time, most users had only one or at most a handful of passwords. They could cope with changing them once a quarter or so. That was then.
Forward to 2022 and we all have dozens, even hundreds of passwords. If they all expired quarterly, not a day would go by without one changing. But they don’t. We have access to password keepers, and most browsers offer to save passwords in an encrypted database. Our sensitive data is kept behind two-factor authentication (2FA) or multi-factor authentication (MFA) processes. We don’t have to remember a password that changes every 90 days or less. So why do it to the pupils?
I teach Year 7 upward, that’s aged 11 plus. Some of the pupils I teach arrive in with a reading age of 8 or less. My colleagues in upper primary who begin teaching pupils to use Office or Google Docs are teaching pupils with a reading age of 5 or 6. This is before we consider SEND needs such as visual impairment, motor control issues and ADHD to name but a few that are relevant here. So you can imagine the challenges they face. When password expiry came around, the conversations often went like this:
- Ah, your password has expired. Right let me help…<sigh>
- In those two boxes you have to type a new password.
- No it can’t be the old one again. Oh, you already tried that? Right well now you have to type in your old password again.
- No, I know I said you needed to type a new password but that comes next, first you need to type your old one in again, or it won’t let you type the new one.
- Now, the new password needs to be at least 8 characters long, include a capital and a number, and be different to all your old ones.
- If didn’t work again? Did you follow the rules? Ah, I see you didn’t use a capital, you need to press Shift for that, remember?
- Right, maybe you didn’t type it exactly the same in both boxes.
- No you’ll have to type your old password correctly again to have another attempt at choosing a new one.
- OK so we’re ready to choose a new password again, can you remember the rules?
- No those two passwords are not the same length, I can see from the length of the asterisk strings. Can you go back and do it again?
- Oops, you hit Enter and it’s asking for old password again. Just do that first then try to get the new password the same twice this time.
- Right two passwords the same length, are you sure they are the same?
- Oh dear it’s still rejecting the new password. Did I mention it cannot include your name? You included your name? We can’t do that.
- Yes, you need to type your old password again to try again.
- One capital, at least eight characters, and a number.
- Yes, they look the same length, are we ready to go?
- Great job! you changed your password. Now write a hint in your planner, something to remind you what the password was, but not the whole thing, OK?
- <writes hint>
- <1 week later>
- You can’t remember your password? Does the hint not help? OK then I’ll reset it. You’ll need to choose a new one, it will need to be at least 8 characters long, include a capital and a number, and be different to all your old ones….
repeat for at least half of every Year 7 class for half of the year and more than a handful of students every week, back when passwords expired in my school. But that was then…
I successfully used my prior experience as an Infosec (Cybersecurity) consultant to persuade my IT team to turn off password expiry. Because it’s not necessary on student accounts, and strongly discouraged on staff accounts too. Who says? The National Cyber Security Centre (NCSC). In an advisory article entitled “Password policy: updating your approach”, the UK government’s dedicated Cybersecurity unit wrote this:
“Forcing password expiry carries no real benefits because:
- the user is likely to choose new passwords that are only minor variations of the old
- stolen passwords are generally exploited immediately
- resetting the password gives you no information about whether a compromise has occurred
- an attacker with access to the account will probably also receive the request to reset the password
- if compromised via insecure storage, the attacker will be able to find the new password in the same place”
I could add other reasons to the above, regular password expiry causes users to write down their passwords, or just forget them. Now they no longer expire I don’t have the torturous “password expired” lessons and pupils no longer use “I forgot my password” as an excuse for missed homework. I gave them some skills to choose a strong, memorable password and introduced detentions for forgotten passwords after a while, as explained on this blog post. And nothing terrible has happened.
Please. Stop expiring your passwords.