Skip to main content
Ministry of Education New Zealand
On this page

What a password policy is

A password policy is a guideline that can help you create, look after, and use your password. If your school does not have a general guideline for passwords, learn how to create one using our guide below.

Creating a password policy for your school

Passwords for new staff

Each new user must have their own unique login. They should change the default password used to log in for the first time.

Different accounts and logins must be set up for:

  • daily staff activities, such as emails or browsing the internet
  • administrative information technology (IT) work, such as managing other users, changing configurations, or creating or deleting resources.

These accounts need to have different, unique, and strong passwords.

Set a password policy for Google or Microsoft accounts

If you don’t have an IT provider or IT lead, you can use the guidance below for your Google and Microsoft accounts.

Setting password requirements for Google – Google

Setting banned passwords for Microsoft – Microsoft

Set a password policy on your devices

If you manage school devices with a mobile device management system (MDM), such as Microsoft 365 MDM, Microsoft Intune, Google Endpoint Management, or Jamf, you should set your password policy for all those devices. You can also require users to set a screen lock.

If you do not use an MDM system, you should enforce your password policy and screen lock for users.

Your IT provider or IT lead can help you with this. Google and Microsoft have more information about enforcing password requirements on mobile devices. If someone finds the device, the data on it is protected with a password.

Require passwords for managed mobile devices – Google

App protection policy – Microsoft

Conditional access policy requiring app protection policy – Microsoft

Resetting passwords

Administrators of a system, such as Google Workspace, should not be able to reset their own password. It is good practice to have 2 administrators, so they can reset each other's passwords. Google and Microsoft explain how to do this.

Reset a user's password - Google

Reset a user's password - Microsoft

Account security advice for IT providers or IT leads

If your school has its own servers, you can secure your accounts with these steps:

  • Use rate limiting - this sets how often someone can try to log in each minute. If a real user has forgotten their password, they can try and log in several times. If you set the rate limit to a few tries per minute, an attacker can’t run a programme that attempts to log in automatically with a list of common passwords.
  • Don’t use account lockouts – an attacker can perform a denial-of-service attack by locking out lots of accounts.
  • Enable fail2ban, disable password logins (in favour of SSH keys), and turn off root login from SSH.
  • Use a modern hash function and salt to prevent rainbow table attacks.

CERT NZ has advice for protecting your network attached storage (NAS):

  • Change default or weak passwords to long passphrases.
  • Enable and use 2-factor authentication.
  • Make sure the NAS is up to date with any software updates.
  • Prevent unauthorised access by not exposing it to the internet. If it does need to be internet-facing, restrict access by IP/CIDR or geolocation.
THIS PAGE IS FOR
  • Suppliers and providers