UPDATE: The SACE website has undergone some changes which include having the site under HTTPS. There is no indication that the password and username situation on the site has improved. Please use a random password generated by a password manager.
Yesterday, I logged in to the South African Council of Educators (SACE) Continuous Professional Training and Development (CPTD) website to check the status of my CPTD points. I was sure I had registered with them before, but couldn’t find a record of my password in my password manager.
I clicked on the “Forgotten Password” link and was prompted for my mobile number. After several minutes of waiting, I had not received the SMS I imagined would follow. The only other option was to see if I could re-register as an educator on their website. I was asked for my names, my SACE registration number and my South African ID number. Immediately, the website responded to say that my username was my SACE registration number, and displayed my password to me – my surname.
Slightly confused, I wondered how my password was ever set to something like that. Perhaps filling in the form had reset it? I nevertheless began the process of changing the password.
Changing a password on the SACE site is not straight forward – or at least does it very differently to the generally accepted ways of going about it. Unlike nearly every website on the internet, one has to log out before one can change one’s password. On the log in screen, enter your username and password and then, just above the “Log in” button, is some text with the link “Change password”. Clicking on that text reveals two new password fields which can be completed with one’s new password. You thus conduct a login and change your password at the same time.
I immediately went to my password manager to have it generate a random 20 character password for me. I pasted this into the new password field and clicked on the “Log in” button. An error was displayed that my password had to be between 8 and 12 characters long.
Now most people don’t use password managers (that is a problem!) and so it is unlikely that they would often run into the problem of a password not being long enough. But when a website does complain about it, it usually means that they are storing your password in plain text.
Websites have a number of options when storing passwords. But the best way to store a password is not to store it at all. But, you’ll say, if a website doesn’t store your password, how can it know if you’ve provided the correct password when you log in? The answer is technical – and mathematically too sophisticated for my mind – but is based around the idea of an irreversible algorithm. Something that can happen in only one direction. Now, in this instance, we’re talking about mathematical operations, but there are some very obvious real world analogies: unringing a bell, descrambling an egg, unbaking a cake… These all represent things that, once done, can’t be undone without a certain amount of guess work.
The result of putting something through an algorithm like this is known as a “hash”. If we put the same password through the same algorithm, we must end up with the same hash. Thus when you log in, the password is put through the algorithm, its hash is generated and compared to the hash that is stored on file. If that matches, then you must have provided the same password.
Back to the SACE site, I was now disturbed. A number of issues started jumping out at me.
The site is not HTTPS protected. In fact, the Google Chrome web browser reports the login screen as “Not secure”. In coming months, this browser will display this warning in an alarming red colour. This will be displayed whenever you are about to send a password over a non-encrypted channel. This means that your password is transmitted in plain text for anyone to intercept. The first rule of hacking is that people don’t like to remember different passwords. If you find out someone’s password, you probably have their password to more than just the SACE site. With a bit of investigation, they may have access to your email, your banking and who knows what else.
I logged out again and returned to the educator registration function on the front page. By supplying my SACE registration number and ID number, I returned to the login screen to have my recently set password made visible to me. This is horrific.
This means that your (potentially favourite) password is sitting in plain text in a database on a server that does not have adequate protections on it. While there is no evidence of foul play here, it does mean that if this database is ever compromised (and their current security practices indicate that it might be easier than we imagine to do so), teachers’ email addresses, passwords, and schools that they teach at are compromised.
In addition to having their online profiles put at risk, many schools who use online administration systems (such as the one I develop!) may well use their same passwords for those systems. And access to those systems means access to confidential and personal information about the minors entrusted into their care.
Conclusions
- If you’ve registered on the SACE CDTP website and have used a password that you use anywhere else, change it now!
- SACE needs a serious wake up call in dealing with information that has the potential to jeopardise the safety of teachers and pupils.
- Teachers and schools who use online systems (whether for school administration or just email) need proper online safety training. Schools should insist on unique, complex passwords for their staff.
- While we are forced to use passwords, use a password manager!