If the system can tell you your password, run away
June 15, 2017 5:36 AM Subscribe
What computer security topics do schools cover nowadays?
What aspects of computer and network security do general computer classes cover nowadays? For example, are there school systems where a high school graduate can expect to have heard a recommendation to use a password manager? Or have been taught why a system that can tell you what your current password is should be avoided?
I'm particularly interested in hearing about what primary and secondary schools teach, but I'd also like to hear about general education requirements of post-secondary institutions.
What aspects of computer and network security do general computer classes cover nowadays? For example, are there school systems where a high school graduate can expect to have heard a recommendation to use a password manager? Or have been taught why a system that can tell you what your current password is should be avoided?
I'm particularly interested in hearing about what primary and secondary schools teach, but I'd also like to hear about general education requirements of post-secondary institutions.
I work at a school where every student has an iPad and a school supported email address. All student (and staff) email passwords must meet a complexity requirement. Additionally, passwords must be changed on a semi-regular basis. There are also PSAs that go out from time to time that encourage students to keep their information secure. I don't think it's anything super formal, just more of a culture that promotes technological awareness.
posted by WaspEnterprises at 8:33 AM on June 15, 2017 [1 favorite]
posted by WaspEnterprises at 8:33 AM on June 15, 2017 [1 favorite]
Just anecdote, but I was helping a friend's kid with his high school computer/internet class a couple of years ago, and it was incredibly dismal. The only security topics they covered were a vaguely worded warning about sexting and a bunch of stranger danger type scenarios, really. I don't remember anything about passwords, so if there was anything, it wasn't much. And the whole thing had a very trusting attitude toward corporations. Not only did they not bring up anything about questioning the motivations and practices of the corporations running the sites you use, but some of the assignments consisted of signing up for and using various services. Nothing about even skimming the terms and conditions or privacy policies or protecting your personal information from them, and nothing questioning site password policies.
I forget what the class was called, but it was the basic computer skills class for the kids who didn't want to take a computer class. This is a pretty well regarded, well funded public school.
posted by ernielundquist at 10:03 AM on June 15, 2017
I forget what the class was called, but it was the basic computer skills class for the kids who didn't want to take a computer class. This is a pretty well regarded, well funded public school.
posted by ernielundquist at 10:03 AM on June 15, 2017
I've recently retired as IT technician at a primary school, and it was my experience that school staff are consistently way over on the Convenience side of the security/convenience tradeoff.
In twelve years of working there I never managed to persuade a principal to put any meaningful thought into addressing IT security as a specific topic to be dealt with in class time. Closest I got was unilaterally choosing to use KeePass database files as the distribution format for the kids' new email credentials after the school cut over to Google Apps For Education, and having that retrospectively declared a Good Idea when it became clear that I wasn't going to do it any other way.
School IT is being managed by a part-time remote team from the district now that I'm not there any more, and one of the things they've done is adopt a single complexity policy for all passwords used inside the school, regardless of whether these are subject only to random manual cracking attempts from the occasional motivated student or the full force of offline wifi PSK crackers. And as you'd expect from a one-size-fits-all policy if you gave it thirty seconds thought, it doesn't fit any of the use cases properly.
An eight character length requirement, in 2017, is pure security theatre. You might as well just not bother.
And they dumped my KeePass files.
I have yet to see a school whose IT security was not an omnishambles, and the fact that schools are now all rushing headlong to replace every properly securable IT asset with horrible little touchscreen fondleslabs is only making it worse. The future has never looked brighter for the rising generation of Internet organized criminals.
posted by flabdablet at 12:08 PM on June 15, 2017
In twelve years of working there I never managed to persuade a principal to put any meaningful thought into addressing IT security as a specific topic to be dealt with in class time. Closest I got was unilaterally choosing to use KeePass database files as the distribution format for the kids' new email credentials after the school cut over to Google Apps For Education, and having that retrospectively declared a Good Idea when it became clear that I wasn't going to do it any other way.
School IT is being managed by a part-time remote team from the district now that I'm not there any more, and one of the things they've done is adopt a single complexity policy for all passwords used inside the school, regardless of whether these are subject only to random manual cracking attempts from the occasional motivated student or the full force of offline wifi PSK crackers. And as you'd expect from a one-size-fits-all policy if you gave it thirty seconds thought, it doesn't fit any of the use cases properly.
An eight character length requirement, in 2017, is pure security theatre. You might as well just not bother.
And they dumped my KeePass files.
I have yet to see a school whose IT security was not an omnishambles, and the fact that schools are now all rushing headlong to replace every properly securable IT asset with horrible little touchscreen fondleslabs is only making it worse. The future has never looked brighter for the rising generation of Internet organized criminals.
posted by flabdablet at 12:08 PM on June 15, 2017
This thread is closed to new comments.
The safety aspects basically walk them through a bunch of action/consequence scenarios for things like posting photos on social media, speaking to strangers, giving out your address, etc; and then has them think about similar things they might have done or been exposed to and the potential consequences of those. It's very much geared towards getting the kids to think about unintended consequences of their actions, rather than just simply saying "don't do this on the internet".
I think the security side might say something like "Don't use your name as you password" but certainly nothing like password managers or why a system that can tell you your password is bad (and whilst Mrs Parm is generally more clued up than most about this, I sincerely doubt most teachers practice any real level of password safety themselves, much less teach their students about it - at least not within the state school sector in the UK.)
posted by parm at 7:25 AM on June 15, 2017 [1 favorite]