We at Pupil Asset take security seriously and advise those that share our concern to follow our password policy where possible. There are links and explanations below, for those that wish to do further reading on the subject.
What suggestions do you have for a secure password?
- Consider using a system like LastPass or 1Password which generate ultra-secure passwords for you and remember them for you too.
- Consider using a handful of passwords for different types of site. For those that need to be ultra-secure (like internet banking, or Pupil Asset) use a password you don’t use elsewhere – so that if your subscription to another website gets compromised the hacker does not immediately have access to more important things.
Why do you not automatically reset passwords?
This policy can often backfire because:
- If passwords change frequently, users will be forced to write passwords down in order to remember them.
- It is hard to come up with ‘good’ passwords that are also easy to remember. If people are required to come up with many passwords because they have to change them often, they will gradually end up using weaker iterations of the same password.
- System generated random passwords are so utterly forgetful that a user will have to write it down, rendering it immediately insecure.
- If software can prevent a user from repeating a recent password, it must be keeping a database of everyone’s recent passwords (instead of having the old ones erased from memory). Further to that, users may change their password repeatedly within a few minutes, and then change back to the one they really want to use, circumventing the password change policy altogether.
If your school policy requires password resets, there is a button for this in Admin > Staff; however, for the above listed reasons we advise against doing this regularly.
Other ways of being security conscious
- The easiest way to get into somebody else’s computer is to wait until they have left the room and sit at their desk! Consider locking your computer when you leave the room. A simple way to do this is by holding the “Windows” button (looks like this ) and pressing the “L” key.
- It is worth repeating – do not write your passwords down.
Further reading on passwords and security:
- http://en.wikipedia.org/wiki/Password_policy
- http://cups.cs.cmu.edu/rshay/pubs/passwords_and_people2011.pdf
- http://xkcd.com/936/
- https://lastpass.com/
Here is a short comic strip which sums up passwords in this day and age!
Pupil Asset password policy
- Avoid obvious passwords such as teacher1, password, etc. Our system will reject the really obvious ones automatically.
- Do not write your password down. A password which is written down is immediately insecure.
- Consider a password with 3 random words combined – like horserulerfanfare – or a phrase – like DoctorKingsleyismyfavourite.
- NEVER give out your password over the phone. Our support team cannot see your password, and therefore WILL NOT ask for it.
- Do not share your account with other users. Your school ADMIN user can create as many user accounts as your school needs.
- Pupil Asset support will not reset your password without first matching your email address with the one held on the system. Ensure you have an email address set up on Pupil Asset or contact your school’s Pupil Asset admin person to reset your password.
- Users can now reset their password from the login screen, by clicking on the Forgotten your password? link.
- Staff who have left the school can pose a possible security risk. Remove their username and/or set their access level to None as soon as they leave.
- Never write your password down – yes, this is the second time it appears in this list, but it bears repeating – also, do not save your passwords in a text file on your desktop named “Passwords”.