User and Password Security
It is critically important that the staff, students and parents at your school are careful with their usernames and passwords for Staffroom and the InTouch Portal. Staffroom and the InTouch Portal contain personal information that must be protected and responsible use of usernames and passwords is an important way we protect this information.
While the Staffroom team are responsible for security of the system and it’s underlying technology, school staff, students and parents are responsible for the appropriate use of their own usernames and passwords. Schools should have appropriate policies and processes in place for managing who has access to what data and when they have access.
School staff, students and parents should never:
- Share their usernames or password with other people
- Write down usernames and passwords
- Send usernames and passwords to anyone using email, WhatsApp etc.
We recommend that school staff, students and parents should:
- Use strong complex passwords e.g. phrases and combinations of long modified words
- Use a secure password manager like those available in Chrome and Edge
- Only use their own devices or those that the school owns (not public or shared devices).
The Staffroom team will NEVER ask any user to send them their username or password. If you are asked for these details you should be immediately suspicious. Never send your username or password to anyone including our team.
In order to assist schools with their own security responsibilities, Staffroom has features to help schools and their users to keep their usernames and passwords secure, including:
- Automatic account locking after five incorrect attempts
- Password complexity requirements
- Password reuse prevention
- Self service password resets
- Configurable automatic session expiry
- Configurable automatic password expiry
- Configurable CAPCHA version for login pages
Please note that the first four features listed above are standard features and these can not be configured or disabled. Also, all features listed apply to both Staffroom usernames and passwords and InTouch Portal usernames and passwords.
Self Service Password Resets
School staff who have access to Staffroom can perform a password reset using the (Can’t access your account?) forgotten password link on the Staffroom login page:
Students and parents who have access to the InTouch Portal can perform a password reset using the (Can’t access your account?) forgotten password link on the InTouch Portal login page:
Configurable Password Settings
Staffroom has settings that allow schools to configure their own settings for session timeout period and password expiry period.
Session Timeout Period – controls how long a user will be able to access Staffroom before they will be required to log in again. This must be a value between 1 and 14 days.
Password Expiry Period – controls how long a user’s password will be able to be used before they will be required to change the password to a new one. This must be a value between 1 and 365 days.
We recommend that both of these settings should be kept as small as practically possible in order to improve the security of the school’s Staffroom site.
The configurable password settings above are available for both Staffroom users and InTouch portal users separately:
- Staffroom password settings are located in the Settings module under Users.
- InTouch portal password settings are located in the InTouch module under Settings > Portal Settings.
CAPCHA Login Page Settings
Staffroom and the InTouch Portal protects login pages using CAPCHA security features. These features prevent attempted malicious password hacking activities and help protect your school’s user credentials. There are three options for CAPCHA that can be selected for use on login pages:
- CAPCHA version 2 – this version displays a checkbox on the login page that the user must tick before login.
- CAPCHA version 3 – this version works automatically without any user actions required.
- CAPCHA disabled – this option is only recommended where the CAPCHA functionality is causing significant problems for the school.
NB: We have found that CAPCHA version 3 does incorrectly block some logins and for this reason we recommend the use of version 2 at this time.
User Password & Account Administration
It is possible for Staffroom administrators to carry out user password administration tasks such as password resets and forcing password resets for Staffroom and InTouch users. Some tasks such as forcing password resets can be carried out in bulk if required.
- Changing Staffroom user passwords and forcing password resets is carried out on the Settings > Users page.
- Changing InTouch user passwords, forcing password resets, locking and unlocking of accounts can be carried out on the InTouch > Portal Users page