[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] Re: Passwords for kids?

Karsten M. Self wrote:
But for a fair number of 'em, particulary the younger set, and a few
others with learning disabilities, remembering passwords seems to be
beyond the possible.  Anyone have experience with setting up accounts
for kids?
I suppose you could go for a biometric solution
How about using floppy disks as hardware ID tokens? No need for those expensive smart cards! Just slap together some public key cryptography along with those old disks and you've got yourself a relatively inexpensive solution.

(rambling follows)

Anyone remember the days when a class would be issued a set of 25.. err, 35 disks, one per student, and they would all save to their disk? Forgetting about the minor details like available space, hardware failures and being tied to an object small enough to loose, in my experience, this system functioned [relatively] well because there wasn't the fake security of a password that was the same as their user name, and therefor no challenge in trying to defeat it. Distribute the disks at the beginning of class, the kids go do their thing and a quick count at the end of the period will ensure that no one leaves his or her disk in the drive.

The downsides to this approach are as follows:

- People loose stuff. Be it kids, adults, teenagers or whatever, those disks are going to go missing and when they do, so does yesterday's homework/today's Power Point presentation that you're supposed to be giving in 4 minutes.

- People break stuff. And bend, [de]magnetize, spill juice on, spill coffee on, break pieces off or otherwise vandalize the disks. This too renders the data on the disk inaccessible and also reinforces the users mistrust in technology.

The solution, as I see it, is to use a combination of physical identifiers such as biometrics, swipe cards or old fashion steel keys, in addition to the conventional user name/password combination. This can be done by adding on to the existing infrastructure of Active Directory (aka domain authentication? I'm not very fluent in Microsoft), which already stores users' files and preferences globally so you can use any computer and still get at your data. Now if you throw in using cheap 3.5" floppy disks as password equivalent identifiers, you'll be cookin' with gas. Here's how it could work:

For each student, distribute a floppy disk containing the student's unique ID (or 'certificate', depending on how you think of it; see below) and a floppy disk label. The label can have the name already on it or you can get the kids to write it themselves, but they should be encouraged to personalize their disk so that they will be able to recognize it as their own. Colours, stickers, those oh so prevalent scented markers or the gel pens that dispense sparkles as well as near invisible ink, there should be something that appeals to the individual's sense of recognition and leaps out at them from a pile of 30. Store the labeled disks in the classroom (not the lab) in a place that's easy for kids to get at.

Now when someone wants to use a computer to, say, write a biography on Clifford Cocks, they sit down at any workstation and *either* type in their user name and password, *or*, they can put in their personalized floppy disk which contains their ID/certificate that corresponds to their account. This way, you have the option of bypassing passwords if you hold the unique ID/certificate (in this case, our floppy disk), otherwise you can just log in with a user name and password without needing to keep track of the floppy.

Although inconvenient, the loss of the floppy disk won't mean the loss of data anymore. Replacement of lost/stolen/damaged disks can be rectified quickly by a teacher logging in and initializing a new disk with two clicks (okay, 2 _double_ clicks). Select the user name and the program queries the LDAP server for the relevant information, retrieves the appropriate file (which is a hashed certificate and incremented number of how many times the ID disk has been written [to lock out old disks from working, in case it's known that it was taken/copied]), writes the file to disk and pops up with an 'All Done' message.

With this system, the user is able to refine the authentication methods to suit his or her needs without the System Administrator needing to account for every possible scenario when setting up the system.

Technically speaking, this is really just an implementation of certificate-based identification (public key cryptography) that involves putting the identifying certificate onto a portable device, the floppy disk. A dumbed down smart card, if you will.

(This is ridiculously weak from the point of view of overall security, but is does confine some attack vectors from ever having a chance of succeeding while still maintaining the accessibility of the system. For example, a malicious user isn't going to be able to forge the certificate stored on the floppy disk without enlisting the aide of a quantum computer, but palming the disk itself would be trivial.)

Ian Paterson https://www.ipaterson.ca