Several of the Computer Science teachers in one district have established a portal which uses a “cloud concept” to provide information for parents of students in their classes. Some of the content is FERPA protected and in this particular district, there is also a strong Blackboard Connect system that is well used by parents. The issue that is hotly being debated is whether or not the teachers should distribute new passwords to parents to use this new portal. At this moment, there are no legal precedents for or against sending these passwords via email, but thoughts for and against doing this are starting to surface.
Any thoughts pro or con, or legal issues to look out for that may have been encountered elsewhere?
Gladys Phillips-Evans
CSTA Board Member
Why do the passwords need to be generated by the system? If the passwords are ever in a clear-text form, whether in an e-mail or just on the server itself, there’s a potential for them to get into the wrong hands. Secure websites only store password hashes — it’s very hard for anyone, including the website owners, to retrieve the passwords from there. I in this case there is probably a legal issue, but regardless, sending out passwords over e-mail is an insecure strategy that most modern websites have moved away from.
It’s common to verify identity through e-mail addresses. Could your system have a list of authorized parent e-mail addresses that all receive an invitation to sign up for the service? The final account creation task could then be to retrieve a unique identifier from an e-mail. In such a system, only someone with access to a pre-approved e-mail account can create an account and passwords never need to be stored in clear text.
Password storing and identity verification needs to be much better understood by the average computing user. Here is a good explanation of how authentication should be done: http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/ It’s meant as a tutorial but I think it’s possible to get a good sense of how this works while skipping the programming bits.
Again, it should NEVER be possible for ANYONE, including the website owner, to retrieve a clear text version of any password. If a site offers to send you your password in its ‘forgotten password’ form, your password is not safe.