Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

High School in Illinois Changes Every Student's Password To 'Ch@ngeme!' (techcrunch.com) 77

After a cybersecurity audit mistakenly reset everyone's password, a high school changed every student's password to "Ch@ngeme!" giving every student the chance to hack into any other student's account, according to emails obtained by TechCrunch. From the report: Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, "due to an unexpected vendor error, the system reset every student's password, preventing students from being able to log in to their Google account."

"To fix this, we have reset your child's password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today," the school, which has around 3,000 students, wrote in an email dated June 22. "We strongly suggest that your child update this password to their own unique password as soon as possible."

This discussion has been archived. No new comments can be posted.

High School in Illinois Changes Every Student's Password To 'Ch@ngeme!'

Comments Filter:
  • by mik ( 10986 ) on Thursday June 29, 2023 @01:04PM (#63643924)
    Good thing they're following password complexity recommendations...
    • It was terrible for me. I went from 1966 through 1981 without even having a student password. No wonder I had problems!

      • by Anonymous Coward
        I went through those years without being a student!
  • by nospam007 ( 722110 ) * on Thursday June 29, 2023 @01:06PM (#63643928)

    Small wonder the world is like it is.

    • Have you seen what schools pay teachers, much less the support staff? You pay bottom tier wages you get bottom tier workers.

      • 15 years ago an acquaintance with about 4 years of teaching experience was making about 8pm to teach stem classes.

        I'm guessing it hasn't dropped since then.

        • The teacher isn't doing the IT work, support staff is, and they get 30k-60k generally. High schools arent great workplaces for IT staff -- tight budgets, legacy equipment constantly needing maintenance, and administrators who think you're also a volunteer for their "mission" and have no problem working long hours for no extra charge rather then then buy new hardware. So, they end up with people with subpar skills, issues (constantly calling in sick, other life problems that affect work), or who leave as s
          • Re: (Score:3, Interesting)

            by Moryath ( 553296 )

            Chances are the person doing this isn't actually an "IT Professional." Much of the time, the "IT Specialist" is someone who was hired for a different task, and then told "ok you seem tech savvy" by someone in administration and just had the IT tasks dumped on their heads on top of their main job duties. Schools in the USA have become so defunded that they can't afford to hire a full-time, fully accredited IT staff so things like this are inevitably going to happen.

            The solution would be to properly fund an

            • I think the solution means the schools need to be more vertically integrated. In this case, they blame a "vendor," which most likely means a Managed Services Provider. The owner of said MSP wants to pay these specialists for as little as possible and sell them for as much as possible. Clearly, they can't be bothered to train their professionals on basic security, or even have someone with baseline security competency review their work.

              The solution: Centralize the IT support of the various systems behi

          • The teacher isn't doing the IT work, support staff is, and they get 30k-60k generally

            In one of my previous jobs, (they really couldn't afford anymore), I was getting around 16K annually before taxes.

            High schools arent great workplaces for IT staff -- tight budgets, legacy equipment constantly needing maintenance

            That's true just about anywhere. Very few places outside of some SV startup are going to have brand new top of the line hardware / software. Let alone a publicly funded organization who's always first in line for budget cuts by politicians.

            administrators who think you're also a volunteer for their "mission" and have no problem working long hours for no extra

            To quote my own previous contracts: "Additional duties as directed"

            A catch all for any idiot, IT or otherwise, who tries to claim that they never require

      • teachers are union! support staff not

        • by tlhIngan ( 30335 )

          teachers are union! support staff not

          In a lot of places, the support staff are union as well. They're generally not in the same union as the teachers, but in a different union.

          Yes, it also results in problems when the support staff goes on strike since teachers will refuse to cross.

          • Yes, it also results in problems when the support staff goes on strike since teachers will refuse to cross.

            Given how integrated schools are with IT these days, would you want to be stuck babysitting for 8 hours straight when little jon forgot his password, little suzy threw up on the keyboard again, lo and behold the Wifi is down again, and know in advance it ain't getting fixed today?

      • Depends where you live, in our country teachers get sometimes even more as regular IT personel with even much more vacationdays, and still they keep complaining.
      • changing every student's password to "Ch@ngeme!" could be considered as a security lapse. While it's understandable that the school wanted to quickly resolve the issue caused by the cybersecurity audit, setting a generic and easily guessable password for all students could compromise the security and privacy of their accounts.This incident reminded me of what I did on my essay assignments from this site https://essays.edubirdie.com/h... [edubirdie.com] it was quite funny but innocent :) By doing so, the school essentially
        • Lapse? Whomever did that was never secure to begin with. Being unique is the key feature and purpose of a password. They gave everyone a master-key that opens everyone's lock. It didn't decrease security, it removed it entirely, for everyone. That is Maximum Incompetence and should probably be cited in the Dictionary for reference.

    • Their sysadmin isn't teaching anyone. But it doesn't even sound like it was him who did this, they called it a "vendor error". The only problem this shows is that they are unwilling or unable to hire qualified, full-time IT staff.

      • That or it's the little bobby tables problem again. My guess is they forgot to specify some ID number on the GUI reset utility, clicked through the "I understand, do as I say!" Linus prompt, and so the result was it reset all of the passwords in the DB backend it had access to.
  • by alvinrod ( 889928 ) on Thursday June 29, 2023 @01:11PM (#63643952)
    Now the students can email the teachers or anyone else at the school and tell them all exactly what they think of them and just blame it on some mysterious "hacker" if questioned. What can principal shit-for-brains do to them over the school's mistake?
  • Unbelievable (Score:4, Interesting)

    by NFN_NLN ( 633283 ) on Thursday June 29, 2023 @01:14PM (#63643962)

    If you aren't going to send out unique passwords the LEAST they could do is make temporary passwords based on student ID and birthdate. At least that limits it to friends hacking your account.

  • Well, I'm sure everyone is thinking it: who's the person who had this dumb idea?
    Resetting passwords after a hack is one thing but making them all the same? This is an epic blunder

    They should probably lock every account now and start a reset of password with unique ones for each account. I'm not sure how you would go about this, I don't know their system but there has to be a way.

    Anyway, let the hacking begin.
    Have a great day everyone!

    • by Cinder6 ( 894572 )

      Also amazing the "fix" is apparently not coming until "over the weekend". I hope the school keeps backups, because there will be many emptied drives.

    • This can be scripted in about 30 minutes with GAM, and that time is almost entirely waiting for the script to finish due to rate limiting. Or they could use Amplified IT's Gopher and do it faster and graphically.

  • Instead of hosting themselves is just as scary.
    • by taustin ( 171655 )

      Given their ineptitude at a password reset, do you really believe they could handle running a mail server?

      I doubt these guys can handle a Mr. Coffee.

    • They very well could be getting the mail and Drive services for free. No ads, no tracking, just no insight either. If they are paying, then it is somewhere on the order of $3 per student per year. They most likely have one, given this, DC and no backup, and it is probably 15 years old. There is no way they have a budget to have an actual network admin, and an on-prem email server.

    • by Midnight_Falcon ( 2432802 ) on Thursday June 29, 2023 @02:11PM (#63644174)
      Have you ever seen a school host their own Exchange instance? It's not trivial to do, and generally results in high IT maintenance costs and significant downtime for maintenance and issues. It also requires opening a hole in the firewall for numerous services, hitting the Exchange server...which can be a huge attack vector. Even schools that self host tend to put a cloud service in front of the server such as MXLogic or Proofpoint, which pipes emails on through to the real server.

      Gmail is far more reliable than any self hosted school system I've ever seen, and costs nothing for educational use.

      • by wbean ( 222522 )
        Not only that but Google's spam filter is the best I've ever seen. I run my own mail server but I funnel mail through gmail just to get the filter.
      • But it would be trivial to host an instance with postfix/dovecot/roundcube.

  • I have no words. I have a conclusion though. There is no money available for anybody to do anything, and so whomever could figure out a relatively easy solution was permitted to do so. No point in rubbing their face in the decision - they probably weren't qualified to make that choice, but were pushed into it.

  • by Anonymous Coward
    Since when does an "audit" make changes? Something doesn't smell right here. Was it an "audit" or a "remediation effort"? Yes semantics does matter.
    • They blamed it on a third-party vendor. If they are hiring a third party to manage email accounts, they obviously have no in-house IT expertise. I imagine they gave the vendor broad and/or vague instructions. Then the vendor assigned somebody incompetent to work on those instructions.

  • #assuming this is AD related...
    #assuming you have users in an OU called users
    $users = get-aduser -filter 'name -like"*"' -searchbase 'cn=users'
    #loop through each user
    foreach ($user in $users){
    $passfunction = get-random
    #concat username+ random number for a password, ya it's shite but quick n dirty
    $password = $user+$passfunction
    Set-ADAccountPassword $user $password

    #define $csvobject to prep the above for nice and neat CSV export.
    $csvobject = [pscustomobject]@{
    user = $user
    password = $password

    }
    }
    #pipe the CSV ob

    • I guess I should RTFA more often, this was google related. NP though. Powershell and GAM play nice together using CSV as an intermediary.

        https://github.com/GAM-team/GA... [github.com]

    • Did you read the article dude? It's the students' Google Workspace accounts, no old-school self-hosted Active Directory involved. You'd have to use GAM to do this instead, in which case you'd probably use zsh rather than crufty powershell.
      • they can have local Active Directory + google

        • While that's possible, who in their right mind pays IT staff to maintain local hardware requiring HVAC and electricity in a server closet at a school as a critical dependency for your cloud-based logins? Microsoft will practically give you cloud-based AD if you're a nonprofit. This makes no sense in the last decade or two.
          • if they have windows pc's / software at the school?

            • All still-supported versions of Windows natively support Azure AD. AzureAD is basically free for nonprofits and education, so why would they self-host? Self-hosted AD requires that the DCs take over all DNS traffic, so any problems with the DCs mean the whole school network is "down." When it goes down, they get to pay IT workers to fix it..further increasing costs. For cost-sensitive places like high schools it doesn't make much sense to self-host AD.
    • wait you can't read the users password in AD only the hash.
      maybe they found something in the audit and some how marked all students into the reset to default / 1st password??
      "Ch@ngeme!" sounds like some one picked that as fixed password to use on resets / 1st time.
      Now did they use the same one for all of the new students each year?
      Did not have an good plan for an mass password reset and some one just said use the same password?

      Now due to it being an school they maybe can't use the students own (non school)

  • That's nothing! (Score:2, Interesting)

    by Anonymous Coward

    My kids' school sets all the students' passwords to the same password, and them instructs them NOT to ever change it. Further the "IT guy" gets mad at them if they do, and changes it back to the same as everyone else.

    No joke.

    (posting anonymously just in case people can figure out which school district this is by my profile)

  • Therefore they all should be using MFA, meaning this reset should be of very low risk to them even if they forget to change the password when asked!
  • Schools tend to have somewhere each student will be each day that they are known to a staff member, be it a 1st period teacher, a homeroom, or even the office. How hard is it to hand out a piece of paper to each student with their new password and then email the parents advising them to check backpacks?

    The real take-away is that IT needs to be professionally managed and not just an add-on-duty, similar to the way schools handle nursing and teaching.

  • Idiots should not be put in charge of running dangerous machinery.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...