Resetting Passwords Properly

Blog / Resetting Passwords Properly

Resetting passwords can be dangerous when done wrong.

Staying modern and on top of trends is important in any profession, but particularly cybersecurity. Situations can develop quickly, as quickly as computers can process things sometimes, so it’s important to be as prepared as possible by actively seeking out reports on attacks, exploit campaigns, and any other cybersecurity related articles of interest, not just to track problems but also to learn from the mistakes that others have made to improve our own processes and policies, such as resetting passwords.

And this story from a High School in Illinois can be educational.

To summarize the article; the staff and Oak Park and River Forest High School were performing a cybersecurity audit and accidentally reset all of their students’ passwords in the process. To help students regain access to their accounts, they then changed everyone’s password to “Ch@ngeme!”, and sent out a mass email admitting their mistake, providing the new password, and urging students to login and change their password.

On the surface this might seem like a reasonable response, and while we commend the school administration’s commitment to transparency and quickly informing everyone what happened, they also committed several fairly severe cybersecurity mistakes.

1. Resetting passwords for the entire student body.

This of course is the issue that started the whole thing. It’s not clear exactly what happened, but we do know it was caused by a cybersecurity audit. It’s possible they ran a script to evaluate the state of the students passwords, and an error in the script’s syntax resulted in the initial unintentional reset.

2. Changing all the student passwords to the same thing.

To be fair, “Ch@angeme1” isn’t actually that bad for temporary password; it’s decently long, has upper case, lower case, and special characters, numbers, and is even fairly easy to remember for the user. The problem is of course that shared passwords are wildly unsecure, and widely-shared ones exponentially worse. You’ve essentially allowed anyone with the password to access anyone else’s account.

3. They told everyone what happened.

To be clear, normally this isn’t a mistake; restoring trust is paramount after a cybersecurity incident, regardless whether it involves phishing, resetting passwords, ransomware, or whatever the hackers cook up next. And the best way to restore that trust is to explain what happened, how you fixed it, and how you’ll prevent it from happening again. But hopefully it’s well understood by most why you don’t want to change everyone’s password to the same thing to begin with, and then worse, broadcast that password. We appreciate the zeal, but in this case a little more careful consideration could have been used..

To their credit, the subsequent mistake was also noticed quickly and corrected, and the fact that they came clean about the situation is to be applauded. Realistically those staff had probably never reset multiple user passwords simultaneously, possibly reusing the process for resetting a single user password. It’s the sort of mistake anyone could make, especially under pressure. Nevertheless, it remains a cautionary tale for why we should call take a second to breath and not act with undue haste, even during a serious event.

If you’d like to discuss password best practices, particularly for resetting passwords, or to develop incident response plans for situations like these, please contact a TRINUS cybersecurity professional for yourself and we’d be delighted to help out.

This week’s quote comes from the Shakespeare play Henry V; “Advantage is a better soldier than rashness.”

 

Be kind, courtesy your friendly neighbourhood cyber-man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.

View more partners