Teacher Compass Tutorial
How is the security of users’ (Teachers, Parents, Students and Administrators) confidential information being addressed?
Cookies & Session Variables:
No confidential or performance information is written into, held or passed in cookies. Session variables exist only as encrypted values in the server ’s RAM.
Cookie Composition. Cookies:
Set on the client side are comprised of four variables (converted to has values) including: Table name, UserID number, Username and Password. Hashing is a technique of encrypting such that the originating value cannot be reverse-engineered.
A “Sniffer” is a hacker’s term for a utility that runs between a client and server and intercepts packets of information. Sniffers are commonly used to capture passwords sent as clear text between a client and server. Because cookie values in our application are passed using SSL and the use of hashed variables, their values can be intercepted by sniffers, but will be unusable due to the encryption.
Cookies are set for Parents, Students and Teachers only. Cookies for these populations are set once logged in and cleared after 24 hours.
How are site visitors’ UserID, User Name and Password information assigned and kept secure?
Student, Teacher, Administrator & Guardian Accounts:
When a new site user (Student, Teacher or Parent) account is set up, their UserID is generated using a random string of letters and characters that is guaranteed to be unique for each user added to the database. Their user name becomes their last name, and their password is a randomly generated string of 8 letters and numbers shown to the user at first use, but stored as a has value. Passwords thus cannot be looked up because only the hashed result is stored, and by definition, cannot be reversed to the originating value. There is no clear text record or storage of user’s passwords anywhere in the database.
Creation of New Accounts:
For all new accounts set up after initial county data import, users will be required to chose a username, an eight character (or longer) password comprised of letters and numbers, and then fill out a reminder question. This reminder question will be used when a site user has forgotten their password and needs a prompt to remember it. The answer to the question will not be stored, merely a reminder for the user to trigger memory of their password. If the user is unable to recall their password even after the reminder prompt, they will need to have their account password reset by selecting a new password.
Login Credential Duplication:
For the creation of all accounts, the database is checked for possible duplicate credential sets across roles to ensure that a teacher would not have the same credentials set as an administrator and thus be able to login as that administrator.
Login (Behind the Scenes) Checks:
When a user logins on to the site, regardless of role, a series of checks are run.
1.) User name is checked against usernames stored in the database.
2.) Password is checked against the algorithm.
Can the URL be hacked and somehow used to view confidential information?
There are no meaningful variables passed in the URL. In some site areas, a look up string of letters and numbers is passed in lieu of a UserID so that an ID cannot be hacked and used to identify user login credentials and/or confidential data.