Tuesday, 27 January 2009

passwords and security

You would think that by now, thirty or more years after cash machine cards became common we would be quite good at handing out passwords to users in an efficient and secure manner. After all banks seem to do this all the time.

However there seems to be a desire to ignore the human factor. While we spend a lot of time making sure that our systems are protected against miscreants. We spend a lot of time making sure that users of these systems have passwords of the appropriate strength and complexity, we tend to ignore the messy business of getting these passwords to the right user.

It's a messy business involving getting the correct bit of paper with their user id and password neatly printed on it into users hands along with instructions to change their password at first logon, the idea of course being that students will immediately rush to a computer, type in their password and chnage it to something suitably cryptic and memorable.

They of course, do no such thing. They lose the paper. In fact why should they worry about their uni password, after all they have a computer of their own and it's only when they need to first upload an assignment into the LMS, use the student printing system, or use some special software for a course module do they need to use their login id.

Unlike ten or twenty years ago, students don't need a computer account to do a lot of their work. They use hotmail or gmail for email, play with facebook for social networking, and work on their laptops. They no longer need to use the public access machines for bread and butter computing, ie word processing, email etc so they don't. And they get their connection from an isp.

Instead they lose the bit of paper, their account expires, and thrity days later there's a great hoo-ha. Not good.

So the marketing people solve the problem by giving the students something that their less likely to lose, like a free coffee mug with a sticker with their password on it (dishwashers guys, people have them these days), or a usb drive with a sticker.

Great ideas, but you can imagine what happens in a share house with or without a dishwasher - there's too many the same, too much confusion potential, not to mention the possibilty of id theft.

So we need to think about how we deliver id's and access. As smart card readers are not universal, and there's four different types out there we can't do chip and pin. But students do need their student cards to get discount at the book co-op, get into night clubs and all the other important details of student life, and it does handily have their photo and uni number on it, so maybe the trick would be an orange removable sticker with their initial password on it.

This woud work, because a student id card has sufficient value and utility you want to hang onto it. There will still always be the people who don't do their initial login, but advertising campaigns about "don't be an orange plonker" might work. The other nice thing is that students get their cards when they register, and when they register they provide us with a proof that they are who they say they are however imperfect that is. Yes there's a risk someone might strick the wrong sticker on somone's card, but then the worst thing is they can't login ...


Anonymous said...

Most of our first years live on campus and need their uni id to log onto the study bedroom network. So there's a big incentive for them to do so.

dgm said...

going to spk based authentication for campus wireless got rid of that inducement as far as we were concerned ...

dgm said...

for the record we've just done a count of students who push their mail off campus and it's around 20%