A Word About Passwords
Admin rights and least privilege
Hot topic in education. As a former teacher, I completely understand the desire and the need to have admin rights to install what you want, when you want, without burdensome review. However, when our district went the least privilege route, malware infections went from a weekly event to virtually non-existent. All security is a trade-off though, so we went with a blended approached of explicitly denying admin rights by defaults, but offering our users the ability to earn admin rights by completing security awareness training about the responsibilities that come with admin rights, and that actions to take when you accidentally install something bad or lose your creds. When we revamp this system, we'll add in requirements to not use a recycled password for admin credentials. In a dream world, requiring MFA would be nice, but at least in my environment I don't think it's a trade-off folks are willing to make.
When making a push for password resets, KnowBe4 makes afree password strength tester you can run in your AD environment. I also like to use thestrength test found here, because it doesn't just say strong or weak, but determines how many bits of entropy the password has, and categorizes strength based on what you want to use it for. The scale ranges from "Very weak, might keep out family members" to "Very Strong; often overkill." The most important mental shift to make with passwords is to stop thinking about passwords and think about passphrases. For example, this 8 character password [u$T7Dc7U] with uppercase, lowercase, numbers, and special characters is rated as Week with 32.1 bits of entropy. [Rainbowunicornsaremyfavorite] on the other hand is approximately a billion times easier to memorize, and is also considered Very Strong with 130.6 bits of entropy.
Password reuse keeps me awake at night. To think that everyone will use totally unique passwords for every sight is unrealistic, even with a password manager. It's something to aspire to, but I know it's not going to happen. Instead, I try to drive home the importance of making their most important accounts totally unique. School Email should be totally unique and not reused ANYWHERE. Student Information System (SIS) passwords should be totally unique and not reused ANYWHERE. Beyond that, I encourage folks to do clusters of unique passwords. For example, use/reuse one password for social media. Use a different password for banking. Use a different password for online shopping. In this same training, it's a great place to introduce the topic of password managers. For an advanced session, you could throw out something likeusing 1password as a password manager with integration with Privacy.com. This setup allows you to set up temporary or one-time-use credit card numbers to shop online. Amazing.
To help make this case more clearly to users, we subscribe toHaveIBeenPwned.com's domain notification list. Whenever HIBP posts details of another breach, if any of the folks in my domain were included in the breach, I get a notification. I then notifify those users with a sample letter outlining what service they use that was breached, the data that was breached, and instructions for changing their most important school passwords, and point out that they should change that password anywhere they use it in junction with their school email account.