Password policy – best practices

Setting and enforcing secure passwords on school or kura’s accounts are your first line of defence.

Why it matters

Your systems and data are only as secure as their passwords.

Cyber criminals are looking for any easy way to get access to information that they can steal, sell or destroy. The easiest way to get access to that information is through your users' passwords, via:

  • lists from data breaches
  • buying passwords, or
  • brute force attacks.

Your school network can become vulnerable because your users are reusing passwords across their personal and school logins, or because their passwords are too short, or use common words or personal information.

Our recommendations for staff and teachers

These recommendations are for teaching and administrative staff accounts. We're working on advice for student accounts, and will publish it here once it's ready.

  • Enforce strong passwords
  • Enforce strong passwords for user accounts, with minimum length of 10 characters
  • Do not allow users to re-use a previous password
  • Set accounts to reset their password every 90 days
  • Administrator accounts should have a minimum length of 16 characters
  • Consider the use of two-factor authentication for teaching and administrative staff accounts

Create a strong password and a more secure account – Google(external link)

Tip: Encourage the use of password managers at your school/kura which will help keep passwords long, secure and unique.

Creating a strong password – information for teachers, staff and students

Resetting passwords

  • Only allow admins to reset passwords, rather than allowing non-admin accounts to reset their own passwords.
  • Do not allow admins to reset their own passwords – best practice is to have two or three admins who are able to reset passwords for accounts other than their own.

Set up password recovery for users – Google(external link)

Enable self-service password reset – Microsoft(external link) 

Require passwords for managed mobile devices

Require users to set a screen lock or password on managed mobile devices.

Tip: If you're a Google school or kura, we recommend using the advanced option and following your password policy. You'll need to have user groups set up first.

Require passwords for managed mobile devices – Google(external link)

App protection policy – Microsoft(external link)

Conditional access policy requiring app protection policy – Microsoft(external link) 

What to include in your school or kura’s password policy

Everyone logging into any accounts on the school system should be using strong, unique passwords for each account. Your password policy should recommend that all teachers, students and staff:

  • use different passwords for each account they have – at home and at school
  • create a password with a minimum of 10 characters, ideally using a phrase or multiple words
  • do not use personal information in a password, like important dates or children's names
  • use a password manager, if you have one, to manage school passwords.

If your school doesn't have a cyber security policy, work with the board of trustees to complete a risk assessment and develop a policy.

Complete a cyber security risk assessment

Develop a cyber security policy for your school or kura

Implementing the password policy

Changing behaviour can take time. The most important accounts to prioritise are:

  • administrator and other high access accounts – including anyone who can add or remove software, create new users or access financial systems
  • your student management system, if possible
  • Google or Microsoft logins, as they provide access to many other things
  • email accounts – most software and apps use email to reset passwords, so protecting your email protects all your other passwords.

Account security advice for server operators

If your school/kura has its own servers, here are a few additional actions you can take to secure your accounts:

  • Use rate limiting - this sets how often someone can try to log in each minute. If a real user has forgotten their password they can try and log in a couple of times. If you set the rate limit to a few tries per minute, an attacker can't run a program that attempts to log in automatically with a list of common passwords.
  • Don’t use account lockouts – an attacker can perform a denial of service attack by locking out lots of accounts.
  • Enable fail2ban, disable password logins (in favour of SSH keys), and turn off root login from SSH.
  • Use a modern hash function and salt to prevent rainbow table attacks.

Follow CERT NZ’s advice for protecting your NAS:

  1. Change default or weak passwords to long passphrases.
  2. Enable and use multi-factor authentication
  3. Make sure it’s up to date with any software updates.
  4. Prevent unauthorised access by not exposing it to the internet. If it does need to be internet-facing, restrict access by IP/CIDR or geolocation.

Last reviewed: Has this been useful? Give us your feedback