Password Literacy and Single Sign-On

The topic of this post has been on my mind for a while, but got pushed to the front of my attentional space recently when two things happened:

  1. In one of the biggest security breaches in history, a Russian gang stole some 1.2 billion usernames and passwords last week.
  2. This article on how a new single sign-on app will make teachers’ lives easier showed up on my Twitter feed yesterday.

Password Literacy: It’s a Thing.

Let’s begin by explaining why these two events are connected in my head. I have a thousand billion gazillion passwords (at least that’s what it feels like). I have so many passwords that whenever I need to sign into my retirement accounts, I have to answer all the security questions (uh, I forget which pet’s name I told you, and also, I’m not sure who I thought my favorite teacher of all time was when I set up this account, but thanks for asking). Sure, I could write these passwords down somewhere, but I’ve had it drilled into my head that that’s a very bad idea. Actually, there are lots of rules about passwords I’ve had drilled into my head. Here are few:

  1. Don’t use your DOB
  2. Don’t use your anniversary
  3. Don’t use any date, really, that’s actually meaningful or traceable back to you or any of your loved ones or any of their loved ones
  4. Include ridiculous characters like *%&!$#€¿ψ∑Þ or @
  5. Include numbers (but again, no meaningful ones)
  6. Don’t use the same password for multiple accounts
  7. Don’t use obvious words (your kid’s name, your husband’s name, your name, your goldfish’s name, your aunt’s name, your street name, your city name, etc.)
  8. Don’t write it down on a piece of paper that says “top secret passwords” at the top.
  9. Don’t write it down at all, actually.
  10. But make sure you remember it.

(John Oliver had a hysterical bit about this exact phenomenon on last Sunday’s Last Week Tonight, but the clip isn’t up on his YouTube channel yet.)

I have so many different incarnations of various passwords, and I actually get excited when I figure out how to take an old password and transform it with one or two changes that will make it more secure. I’ve become strategic about which passwords I use for what, and what security measures I take with passwords for different things. I still don’t do it “right.” The best passwords are randomly-generated and kept secure through a service like KeePass. But I’m developing my savvyness and strategery with passwords as the number of accounts in my life skyrockets. That’s right — password literacy. It’s a thing.

Single Sign-On is also a Thing.

If I’m being honest, this particular consequence of living a highly digital life can get a little exhausting. It’s particularly annoying when different sites have different rules for what must (or must not) be included in a password, and I can’t remember which ridiculous character I did or did not integrate — and where — or which totally non-obvious word I chose for which site. But hey, I’m an adult, I’ve lived with it for a long time, and I know how to deal with it. I’m at least somewhat password-literate.

However, for today’s highly digital teachers who want to use digital technologies in the classroom, with students, this becomes problematic. I’m sure you can imagine the scenario:

You’re in a room full of 13-year-olds, and they all set up Pinterest accounts yesterday to get ready for an activity you’re doing today, where they’ll create boards for the characters in a novel you’re reading. But wait — this kid doesn’t remember his login name, and that one doesn’t remember his password. Five or six hands shoot up just as you’re ready to launch into modeling the day’s task, and you’re forced to stop and give up precious instructional time to make sure everyone’s logged on.

It’s enough to make any teacher want to scratch the tech and do something else.

This happened to me frequently in my classroom, and there are ways of dealing with it. My favorite strategy included developing systematic logins and passwords for each student, so that I could then remember their handles and passwords without needing to look them up. At other times, I would discuss with students how to develop passwords that would be both secure and memorable. But inevitably, Jimmy would forget his password or Anita would spend 15 minutes vainly attempting to login. It was one of the realities of working with digital media with a room full of teenagers.

No need anymore with Instant Login and similar multi-app login sites (some of which you can log into via social media or Google accounts), which allow teachers to sync students’ passwords across platforms so that they can log into everything they need for school once, and not anymore! Sounds great, right? 

Point, Counterpoint

It does sound great. It sounds really great. The former teacher in me (and edtech specialist who really wants teachers to use digital media) is jumping up and down with glee. It’s why schools have signed onto Google Apps for Ed and encouraged teachers use Google Apps before turning to other platforms (like WordPress or Weebly) — because you only need one sign-on and BAM, you’re into Drive, Calendar, the new Google Classroom, Blogger, and so on. Teachers at my research site lamented how frustrating it was to help students keep track of their multiple logins and passwords — what a headache it was to have so many available platforms that students needed to constantly access with multiple logins.

So here’s my counterpoint — something that’s been nagging at me lately. Isn’t this part of digital life as we know it? And if there is such a thing as password literacy, or even password strategies,shouldn’t we be working on these skills with students?

I certainly understand the headache that comes from having 25 kids in a room totally ready to go and 5 who can’t, to save their lives, type their password in correctly or even remember what it is. I remember keeping lists of student passwords in some locked file on the computer that I had to access multiple times a day. But I have to wonder if, with single sign-ons and one-size-fits-all company models like Google’s, we are depriving today’s students of a singularly important digital skill — maintaining ridiculously multiple and annoyingly complex logins and passwords.

Here’s a little more on how Instant Login works, according to the article:

about 25 percent of class time is usually spent on troubleshooting and getting educational program up and running, according to a press release from the company. The survey also revealed that teachers found the sign-on issues a barrier to adopting more digital-learning software.

The service works by using a school system’s class roster and connecting it with web-based educational-software packages, eliminating the need for multiple logins for each student.

The software can connect with over 20 of the “most popular apps” used in schools, and students will be automatically signed in if they sign into just one of the apps, negating the need for them (or their teachers) to remember multiple passwords or to strategically design and use their passwords and logins, certainly streamlining things for teachers. And I’m all for just about anythingthat gets more edtech into the hands of teachers and their students.

I just can’t help but worry that we might be missing a bit of the point of engaging students with digital technologies when we take one of the fundamental elements of online engagement — managing logins and passwords — and omit it from the conversation and the learning environment.

That list of password “rules?” I learned that in my years as a college student, teacher, grad student, and lover of all things digital. I’ve learned to become a strategic manager of passwords and logins over years of digital learning, and I’m pretty lucky my identity was never stolen and my accounts never hacked (that I know of), because my practices used to be pretty horrible. This is one element of “digital citizenship” that doesn’t often get addressed or even acknowledged, but it’s important — if today’s students are going to be digitally savvy and smart adults, or responsible digital citizens, don’t they need to know how to manage their accounts in smart and strategic ways? And more to the point — isn’t it better that they experiment with this, fail at it, and learn from it in the safe context of the classroom, where it doesn’t matter so much that Anita’s classroom Pinterest account got hacked?

I don’t think there’s an easy answer to this question, and would welcome my wonderful readers’ thoughts on this! In what contexts might it be best to streamline student login/password processes, and in what contexts must we teach students how to be savvy with their digital security?