If my password was able to be printed on a form sent home from my child's school, does it imply insecure password storage policies?

Yup! If they are able to retrieve the password from the database, then they are clearly not following password storage best-practices. OWASP provides a good guide for how to do it properly:

  • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Here's some ammunition you could use in that letter:

  • You want me (the legal guardian of my child) to sign a form.
  • You are using the action of logging into a website and clicking a button as a form of legal signature.
  • How do you know it was actually me that logged in and clicked the button?
  • How many people had access to the sheet with the username and password on its way to me? How can you prove that it was actually me that logged in and clicked the button?
  • Clearly the password is stored in the database in such a way that it can be retrieved by school board staff. How can you prove that it was actually me that logged in and clicked the button?
  • Were something to go wrong, I highly doubt that "signature" would hold up in court, meaning the form will not hold up in court. This seems like a liability issue for the school board and/or for me (depending on what's in the form).
  • Can I get a statement from the school board's legal team that this is ok?

NOTE: since the question was updated to specify that the password in question isn't used by the student, and was not a random initial password, the rest of this answer doesn't really apply. I concur with the other answers that parent passwords should be stored with standard salted-iterated-hash techniques. The obstacles that the school district will face in implementing this plan are much less than the equivalent for student passwords.

Speaking from experience inside K-12 information technology, I can tell you the situation is probably worse than you imagine.

Before you start to push for change, be aware that you are fighting a giant system, not a single school or district. There are some bright spots, it's basically a realm where standard security wisdom doesn't apply. Half the vendors haven't heard of any modern password storage options, or federated authentication. A lot of the students are too young to handle a password with any serious amount of entropy.

And most important of all, schools are nosier than any tin-pot dictatorship. Administrators want the ability to get into student accounts any time they think something might be wrong. The only way to do that, across all the services with their various outdated authentication schemes, is to know the password.

If you find yourself making your complaint to someone who's actually required to answer your questions, let me suggest a few:

  1. How many school employees have access to view student passwords?
  2. Is there any record showing how often a student's password has been viewed, and by which staff members?
  3. Is there any record of which staff members have used student passwords to log in to which student accounts, and which services they accessed?
  4. How many different databases within the school district contain copies of the (unencrypted, unhashed) student passwords?
  5. Are student passwords ever changed proactively (either after an expiration time or by the student on their own initiative) or do they remain the same forever, in the absence of a reported breach?
  6. Has there been a penetration test... on anything... ever?
  7. How many third parties (e.g. online textbook publishers) have been given a complete list of student passwords and/or full remote access to a database containing them?
  8. When considering the purchase of a new product or service that will involve student logins, are information security practices ever a factor in the decision?

Don't expect good answers. Expect bad answers, and plan your next move ahead of time.

And don't expect to surprise them with HIPAA and FERPA. They've heard of those, and their lawyer has probably already told them everything they're doing is fine.


Is this a password that you entered, or is it a randomly generated initial password that you will have to change on the first login?

In the first case, this is a sign of absolutely terrible security practices that raises pretty much every red flag imaginable. This is a massive security hole and needs to be addressed immediately. Also, you should right now change this password everywhere else you use it (let's be honest, we all re-use passwords).

This also needs to be brought to the attention of whoever is responsible for information security at the school. Or the principle. Basically the person whose career is in danger if a breach happens and makes national news.

In the second case, this is SOP, nothing to see, move along.

Tags:

Passwords

Web Application

Recent Posts