When working in a corporate setting, the IT department will normally set a password expiry date, and on that date, everyone will be prompted to change their passwords. This is seen as a simple straightforward process that does not require any significant tech support.
Unfortunately, in a K-12 academic setting, changing passwords takes planning and needs to be seen not just as a time to update security, but also as a time to look for weakness in the IT organizational structure.
If the teachers and students use school bound Apple Computers, you are going to be in for a fun ride. A ride filed with corrupted keychains and dysfunctional OS X user profiles. Web-based LDAP systems will also need to supported, as they store passwords in the browser. Web-based LDAP, you are thinking, “Oh we don’t have anything like that.” Ever heard of Powerschool, 3SYS, or Moodle? It is very likely some of the technology teachers and students use online, authenticates to the same password that used for logging into the school bound computer.
Let’s start with the OS X keychain. I am not going to explain the Keychain. However, I will include two links that will help make it clear.
http://en.wikipedia.org/wiki/Keychain_(Apple)
http://www.macworld.com/article/2013756/how-to-manage-passwords-with-keychain-access.html
When a password is changed, the Keychain will prompt some users to either make a new Keychain or update the existing one. For about 20% of all users, this will simply not work. Instead it will corrupt the Keychain. Then, every 5-10 seconds, a window will open asking for a Keychain password. Users will try their old password, and the new password, those passwords will not work. Sys admins will try to use their admin password, and that will not work.
You can only fix this issue with the terminal, and here is how you do it.
1. Press command – option – esc and force close everything. If the pop-up window will not close, just move it to the left or right side and leave it alone.
2. Open the Keychain App. Go to Keychain–>Keychain First Aid. You need to run a repair, but you will need the SYS ADMIN password. The user’s password will work, but it will not really do any repairing. When done. Close the Keychain.
3. Open the terminal. You will already be in the users home directory.
Type: cd Library – hit enter
Type: cd Keychain – hit enter
Type: ls , and you will see a LIST of files/folders.
The one you need to work with will be a string of ALL CAPITAL LETTERS and numbers. It will look somethings like this : CE7B0E5A-CB72-5566-AFE2-9FA95594BF8C
Please be aware, everyone will have a new combination, this is just an example.
In the terminal,
Type: sudo mv CE7B0E5D-FB72-5566-GFE2-3FA95577BF8C .oldfile – hit Enter.
You do not have to TYPE the long string. Instead, you can type the first three characters, then hit the TAB key. The terminal will complete the long string for you.
4. Close the terminal and open the Keychain again. Run the Keychain first aid again.
5. Restart, and let the user login. The user’s Keychain and account should now be fine.
6. If you are using a print-server, after you restart, open the Keychain once more. Find the print-server passwords, and delete them for the user. If you do not have a print server, skip this.
Next, a corrupted user profile. If the user can login but:
1. They cannot change their password or are not prompted to change it.
2. They cannot print anymore.
3. They cannot connect to any LDAP services, like Powerschool or Moodle.
Just stop trying to find the problem and re-bind the machine. This happens on Windows OS as well. It only take a few minutes to rebind a machine to the network, there is no need to waste time trouble-shooting if one of the three symptoms exist.
Clearing the browser or LDAP passwords is the final step. The browser will often ask the user to update their password. Unfortunately, most users will stare at that box and ignore it. They will hit enter and lose their one chance to update their password. This means taking steps to inform people have to complete clear all their browser passwords.
Hopefully a policy is in place so users know what browser they should be using for official school work. If not, send instructions for all browsers and hope everyone will take time to read them.
Wow, changing passwords is so much fun. I still haven’t explained all the other things that happen when the community goes through this process. This post is getting long so I will list these gems of knowledge below:
- In order to change passwords for a group of people, the sys admin will enable this in the directory management software. This is software used to group people and give them network permissions. If this directory has been badly maintained, that fact will be realized very quickly. If problems in the organizational structure are apparent, then stop the password changing, and fix the problem immediately. Passwords cannot be changed until the organizational structure is fixed.
- Users who have computers that have been improperly clone or configured will float to the top like oil on water. There are always people who have been issued computers that were never setup properly; and there are people who have cleverly hacked their security. Unfortunately for these people, password changing day is a bad IT day for them. Take the time and get their systems setup properly.
- Users who have been using a weak password will become angry, and they are probably the ones handing passwords out to students. They are the weakest link! Password changing should include an increase in password complexity, or some change in security. Any minor change will infuriate those who have been using their firstname as their password, or the word ‘password’. Anyone who is irate should be counseled and not ignored. They are easy to ignore, but the IT department should realize they have no sense of security, nor do they think there is a need for it. There is a need for security, so make sure these users understand the reasoning behind the policies.
- Students who have been sharing user names will also surface in a very nervous and confused manner. I always setup laptops in batches of 25-50, and coordinate students to change passwords. I do this to observe them and to answer their questions. Their are always students who share accounts, and these students will be obvious, one of them will not be able to login. The odds are pretty low that they will be in the same group and exchange the new password in-front of the IT staff. Finding these students and enforcing the school’s acceptable use policy is important.
I personally feel every school should go through this process twice a year. I think it reinforces security and IT standards. It is also a good time for IT to be out of the office and working with the whole community. Unplanned support happens and good information is exchanged in a very short time span.
I recommend having staff attempt to do the changes themselves, but if they need help, schedule a time and place to meet everyone. Do not use email to support this type of activity. Tell participants to meet IT in “xyz space” between the hours of “whenever-and-whenever”. Be on time, with as many IT people as possible. Also make sure network management is available on all IT personnel laptops.
Students should be informed in advance, but, coordinated during their lunch hour(s) or study halls. The process takes less than 2 minutes, and it will provide valuable information. Also, this is a time to connect with students and answer their questions, they always have more questions for IT than most people realize.
Tony DePrato
www.tonydeprato.com
Technology in the Classroom 
Holy cow! Or just roll out a BYOD program and ditch the school owned student laptops and just avoid this mess altogether. Is that even a possibility?
This post was extremely useful to me – thanks!
Hey Tony,
Great post. We try to balance the obvious need for security with the convenience of our users. I’m not 100% sure the keychain issue is as common as you suggest, we have a Novell environment with mobile accounts, and generally don’t run into this issue when we change passwords.
As it stands, single-sign on is becoming less of a thing for us. We single sign on to Moodle, Google apps, and our in-house file server, but everything else (Naviance, IB CAS system, any other website) is up to the student to manage.
I think this prepares our students for the world in which they live. I think about my apple ID, facebook, personal gmail, forum memberships, and settled on a password strategy that creates an easy to remember password that is different for every site.
Great article, and thank you for the depth of information about the keychain stuff.
Warmly,
Bill
Hi,
The problem is fairly well reported online, although most solutions do not work. It has been present since the update before Mavericks and with Mavericks. I have had it happen on about 1-5 Mavericks upgrades as well. Do your teachers have full admin rights on their laptops? In fact, I unboxed a new MacMini today, and it had the keychain problem right after I ran the software update.
The SSO is mostly for the teachers where I am currently based. We are not going to SOO with Naviance either. We are working on the Office 365 secure authentication against our internal Active Directory, it has been painful.
Thank you for reading. And I hope your keychains remain uncorrupted.