Ed Whittaker’s tips for hardening your school’s password security.
From phishing emails to guessed logins and reused credentials, weak password practices remain one of the most common entry points for cybercriminals—and one of the easiest to fix. Weak passwords aren’t just an IT problem—they’re a safeguarding and data protection issue. Breaches can expose sensitive personal data about pupils, staff, and families.
Using passwords based on strict conditions like including uppercase letters, lowercase letters, numbers, and non-standard characters was once considered a standard practice for enhancing password security, but users tended to resort to predictable patterns or easily guessable variations, such as substituting ‘S’ with ‘$’ , substituting ‘5’ for ‘s’ or ‘O’ with ‘0’. Also, these complex passwords can be hard to remember, so users write them down, and even stick them on their monitor. Or they may reuse them across multiple accounts, which undermines their effectiveness. Three-word passwords or passphrases gained popularity due to a number of advantages it offers in terms of both security and usability, and they’re easier to remember. A passphrase may consist of three random words that hold personal significance, such as purplebutterflysunshine. Passphrases promote better user behaviour by encouraging the use of unique and memorable passwords for each account. They can also be integrated with multi-factor authentication, further enhancing security by requiring an additional authentication factor alongside the passphrase.
Consider using a password manager. Secure password management tools can help staff generate and store strong, unique passwords without having to remember them. Cloud-based education accounts like Google or Microsoft include this functionality at no extra cost. Plan for incidents. Despite your best efforts, a breach may still happen, so maintain a simple, well-rehearsed response plan: who to contact, how to isolate affected systems, and when to report to the ICO if personal data is involved. Quick, calm action limits damage and demonstrates compliance with data protection duties.