Best Practices for Securing Passwords
This topic describes the best practices for securely managing student and guardian passwords for Home Access Center for districts that use the eSchoolPlus authentication instead of only LDAP authentication. Passwords are stored in the eSchoolPlus database for districts that use eSchoolPlus authentication.
Store hashed passwords.
Passwords are hashed which prevents decryption to avoid unauthorized access.
Allow parents and student to self-register for HAC.
If parents and students self-register for HAC, then this limits which users may have information about their passwords.
In the HAC District Configuration, select the Allow to Register Online checkbox.
Allow parents and students to change passwords in HAC so they can reset forgotten passwords.
If parents and students can change their password, they can manage their password as needed without contacting someone at the district and can reset their password using the Forgot My User Name or Password link in Home Access Center.
In the HAC District Configuration, select the Allow Password Changes checkbox to allow parents and students to manage passwords in HAC.
If the Allow Password Changes option is not turned on, then parents and students will be required to contact someone at your school district to reset a forgotten password.
Limit which users can reset the password.
Be cautious, and only give users that have a need to know the ability to change passwords. Users with REG PRIVATE PASSWORD security can change the password for guardians and students, but only for guardians and students that they have security to access on the Addresses and Contacts page. This resource is intended to allow a user to reset the password for a guardian or student who has forgotten what their current password is.
There is no way to view the parent or student's current password.
To limit access to change the password, do not grant the following resource levels to users:
- REG PRIVATE PASSWORD
- REG PRIVATE ALL
- REG ALL ALL
If users are currently assigned any of these resources, you should update their security access to remove these resource levels.
For the REG PRIVATE subpackage, grant users access to the individual features within the subpackage, instead of granting REG PRIVATE ALL access. For users who have REG ALL ALL access currently, you may grant the users access to all features of other REG subpackages or to individual features, but you should not grant REG PRIVATE ALL.
Require password changes after a temporary password has been assigned.
When a user changes the password for a parent or student, they should also select the Change Password on Next Login checkbox so the parent or student is required to change the password to something that is only known to them.
Note that this option is not available if the Allow Password Changes checkbox is not selected in the HAC District Configuration.
Additional resources on HAC Passwords
Setting Up Logins and Passwords for HAC