(Update1) The Palm Beach County School District suffers massive pwd breach after second grader hacks them
See an important update after the original post.
From the no-one-could-have-possibly-foreseen-kids-figuring-out-default-password-conventions dept., Andrew Colton reports:
The Palm Beach County School District is in the midst of a massive computer security crisis that draws into question the authenticity of every assignment completed by every student since “distance learning” began, after BocaNewsNow.com learned that an elementary school student hacked the school district’s password system.
We are not revealing the password convention that is used in the school district, but the second grader’s — you are reading that correctly, the second grader’s — hacking resulted in an emergency login change for “live” morning meetings in several elementary schools last week. It did not result — yet — in a district-wide reassignment of student passwords for the School District’s “Portal” which provides access to Google Classroom.
Read more on Boca News Now.
Update: It seems that the school district was less than thrilled with Boca News Now making their situation public. The paper issued a second story claiming that they received a thinly veiled threat from the district. It is not clear from their reporting, though, what they are being threatened with or what they reportedly did wrong. Is the district accusing them of encouraging a student to violate the student code of conduct because they prudently made sure to verify claims of a vulnerability before reporting on it?
What did the news outlet do wrong? Nothing that I can see.
What did the district do wrong? Let me count the ways, but for now, let’s just add poor incident response to the list.
CORONAVIRUS: Palm Beach School District Threatens BocaNewsNow Over Password Story
Nancy Lorntson - May 13, 2020
No hacking going on here. It’s a pure case of the district assigning passwords that were almost certainly some combination of a student birthday, grade, initials, etc. all of which are easily discoverable through internet and social media searches. This type of password assignment is common in K-12 districts.
Additionally, the practice of not permitting students to manage their own passwords is also common practice. Districts believe that elementary aged kids can’t remember their passwords so by having a predictable combination of known information about a student, a teacher can easily “help” their students to log in without a password change.