High school reset every students' password to the same thing: "Ch@ngeme!"

Originally published at: High school reset every students' password to the same thing: "Ch@ngeme!" | Boing Boing

…

Ah, schools. When I was in high school back in the seventies, the password to the admin account was SECRET. Looks like they haven’t learned much in the last 45 years.

I worked at a company back in the early aughts where the domain admin account when it was first stood up was:
Admin
<the domain admin’s first name> : /

I have to wonder how they managed to inadvertently reset all the passwords.

Inspecting accounts is a pretty normal thing for a security audit; but it’s precisely the normal stuff that someone in the cybersecurity auditing business would have a boilerplate scripted process doing; since it doesn’t need to be reinvented or significantly customized each time.

Certainly something you could do in bulk with the right access and the wrong command; but a context where I’d expect a very routine tool to be used, no real room for improv.

Ah yes, using the student’s first and/or last name as the new password.
That’ll keep people from getting into other people’s accounts!

When I was in highschool, there was no internet (yes, we had to ride our dinosaurs up hill both ways), but we did have a local network, and two computer teachers. One knew what he was doing, and the other did not - and the one who did not, did not even HAVE a password. Since this was clearly a bad thing, my class decided to fix that for him, and put a password on his account. Two weeks of him not admitting he couldn’t get into the system later, we told the other teacher, and took the password back off so he could grade assignments.

Dinosaurs? You lucky git! Back in the Proterozoic, we had to make do with eukaryotes!

On the school board HP2000, the year that an increasing number of people had their own dial-up terminals at home, the admins started disabling accounts that had multiple logons at the same time.

The accounts were still there, they just changed the password to CTRL-DEAD. I guess they thought that was secure, because no one would keep trying passwords at 10 characters per second in the 90 seconds before it disconnected, and redial to try again.

I certainly didn’t. I gave the job to my own computer (8085 and 4k ram) and a 300 baud modem. (Knowing what I know now, I probably would have guessed it a lot faster than brute forcing it.)

Once I got one, I switched to a lateral search, and picked up all the “dead” accounts, including a few new large ones. Wheeee!

… it sorta sounds like “malicious compliance” to embarrass the institution, or some poor bastard with no fucks left to give saying “yes boss” to a very dumb suggestion

or I guess in today’s labor market maybe somebody who didn’t know anything deciding to “do it themselves” instead of hiring

I’m a secondary teacher, and in my former district all the elementary students had the same password for their Google accounts, with no permission to change it. (Allegedly, this was because elementary students were always forgetting their passwords, which, sure, I guess?)

What no one seemed to have considered was the chaos that would be unleashed when those kids reached sixth grade and were never instructed to change their passwords now that they could.

I sat in on a meeting with an administrator and a very embarrassed adolescent boy who swore up and down that he hadn’t sent those inappropriate comments to a female classmate, despite the screenshots we were all viewing. And it turned out that he was telling the truth! Another student had realized that he could impersonate any number of classmates on Google Chat just by using their old universal elementary school password…

From that moment on, I always told my incoming sixth graders to change their passwords on the first day.

You have to do more than tell them. You have to force expire them.
Which sounds like how this whole article probably started in the first place, if I had to guess.

I graduated high school in 1995 so pretty much pre-internet (I know it existed but we didn’t have it in school). I don’t know how parents and teachers deal with the insanity of smart phones and internet and raising kids. I get a queasy vertigo feeling just imagining everything that could go wrong. Serious respect for everyone navigating all that.

Oh, I agree completely, but as a teacher without the IT power, I did what I could.

There’s a lot which doesn’t add up to it being an audit. Not any sort of competent one.

There was a comment on /. much like this.

My kids’ school sets all the students’ passwords to the same password, and them instructs them NOT to ever change it. Further the “IT guy” gets mad at them if they do, and changes it back to the same as everyone else.

The school’s technology department followed up the next day with an email announcing that they “will be emailing you a special password process over the weekend that will be unique to your specific student.”

So, like more than 24 hours from now?

Students’ response (at least the mischievous ones): “How much mayhem can we cause before this gets shut down?”

One of the bad things about this is that it adds some weight to the excuse, “My account got hacked”, used by alleged criminals of various types.

We may laugh at some high school IT department pulling this kind of a blooper, but we should remember that some of the world’s biggest data processing departments – including Microsoft, the UK Home Office, and I think it was Experian – have leaked 100s of millions of customer accounts over the past 10 years or so.

None of that was malicious, it was human error. Computer security is dependant on fallible admins, who also have to be ethically pure because someone must carry the keys to the kingdom. We know there are corrupt judges, priests, police, and doctors. How can there not be some corrupt IT admins?

Sorry for the tangent. Thanks for reading if you got this far.

The article says the passwords were changed originally on Thursday the 22nd, so this already happened and the timing was (perhaps) tighter than that. But, I’ll speculate there were families on summer vacation which didn’t get the initial notification that everyone’s passwords had been changed/weren’t able to do anything about it last weekend. And user names were easy enough to figure out.

“My son and I were able to log into several of his peers [sic] google accounts, which gave access to all emails, papers, class work—anything saved on google drive (docs sheets and slides),” Peterson said in an email to TechCrunch.

We used to dream of eukaryotes! Our mum and dad used to make us ride ornithine - cold ornithine mind you!

I know that Equifax was in trouble for this in 2017, lots of doctorow posts on boing about it too. But you know, maybe Experian too, right, why not!