A Different Kind of High School Insecurity

The high school I go to (whose name I do not care to remember) prides itself on being a school for “21st century learners.” It employs liberal use of Remind, owns several SMART products, gives IB students free iPads, registers all students with their own Google account and email, and uses Moodle to interact with students.

It’s also one of the least secure schools in America.

You see, the school’s administration had a problem. They needed to give everybody logins for all their technologies, but many students couldn’t be bothered to create all the accounts themselves. So they decided to create accounts for students themselves. With a common username and password that is shared among all technologies.

Now, this is already pretty bad for security, but not unmanageable. Sure, it’s bad practice to re-use the same username/password combinations, but a lot of people do that without getting hacked. So, really, not that bad, right?

Well, there’s another problem. Each password has the exact same format. It’s 4 letters, which are always the same, followed by 6 numbers — which are also the student’s student ID.

Okay, so that’s pretty bad. Those passwords have very little entropy and are easy to brute-force. But all of those sites have a login attempt limit, so it’s not that bad. Besides, the student’s data isn’t super important, right?

Well, the teachers have a similar pattern. Including, as far as I’m aware, the administrators. So somebody could, potentially, do some serious damage. But they’d still need to find the username, and that’s more complicated, right?

Yes. But the usernames they use are also the usernames for the school-provided Gmail accounts, and all of those are saved in our contacts. So it’s easy to get a list of every username in the school, and who it belongs to.

Still, brute-forcing something takes time, and, well, it could be worse, right?

Yes. Yes it can.

You see, our school’s wifi uses the same login username/password combo. It also uses LEAP authentication, a deprecated, extremely insecure authentication method which has the distinction of being labeled one of the “six dumbest ways to secure a wireless LAN” by zdnet and leaks passwords all over the place. So, if somebody on our school’s network were to download something like ASLEEP, they could get every username/password combo on our servers very quickly — and, as a result, get all of our students’ personal data. This does include full gradebook for teacher accounts.

I have talked to the school administration about this, twice. Nothing, as far as I’m aware, has changed.

Sadly, this is not a localized problem. I suspect many schools have a similar security issues. Still, as a student, it terrifies me that it is so easy to acquire so much control over the institution that has a big hand in shaping my future.