When junior Grace Sylvester saw she had a Facebook message from her friend, junior Dori Latek, she did not hesitate to respond. But as Sylvester clicked send, she did not think she was answering the message of a stranger.

Latek’s Facebook account had been hacked, and the unidentified culprit used Latek’s account to coax information out of her Facebook friends, like Sylvester.

Sylvester said the hacker, who she thought was Latek at the time, had messaged her for her email address, claiming it was necessary for a survey. After Sylvester responded, the hacker proceeded to ask her for more personal information. Sylvester’s willingness to answer the questions enabled the stranger to hack her school account.

“I didn’t really think anything of [the questions] because I did not think that Dori would be hacked,” Sylvester said.

To protect Glenbrook North accounts from outside interference, as of March 1, students and staff are required to change their passwords every 180 days. Passwords cannot be repeated, and they must fulfill specific character requirements, such as the inclusion of capital and lowercase letters, numbers and symbols.

According to Dr. R.J. Gravel,  director of technology services, although the school is aware that passwords have been hacked before, the new procedure was not created in response to a specific incident.

“We’re attempting to prevent an issue from occurring instead of waiting for it to happen and then reacting to it,” Gravel said.

He said password change procedures are an important precautionary step when trying to protect the security of an individual’s personal information.

Latek said she was unaware her account had been hacked until people approached her  to inform her they had responded to her Facebook messages.

“The hacker’s [messages were not] like spam,” said Latek. “It sounded like a real person. It sounded like it could [have been] me.”

After responding to the messages, Sylvester, who was not the hacker’s only victim, said she could no longer access her GBN account, which included her email and PowerSchool, forcing her to go to the IDEA to resolve the issue. Sylvester had to change her password from her birthday, the previous PowerSchool default password, to a more complex and unique one.

According to Gravel, as the new password procedure is implemented, students and staff can expect to receive emails a week before their password change deadline. If they do not change their password by the deadline, they can expect to have an extra week before their password will be reset to a random and unknown password, thereby logging users out of their accounts.

Once the password has been reset, Gravel said students and staff can visit the Chrome Depot in the IDEA for assistance, or they can enroll in the Self-Service Reset Password Manager system to reset the password themselves.

Andrew Dolan, director of stakeholder engagement at the Multi-State Information Sharing and Analysis Center, said he believes passwords should be changed at least every 90 days, but changes on a 180-day basis are certainly better than making no password changes at all.

“There should never be anything that you are using a permanent password for,” Dolan said.

While secure passwords are highly beneficial, James Lanning, manager of information security and risk services for North America at the Information Security Forum, said it is important to manage the needs of users while maintaining the proper security standards. But he said he has a reservation about the frequent password changes.

“If someone is supposed to use a really solid password, then they have to change it every three months [and] it cannot be the same as the ones before it, they are going to opt to use easy-to-remember, low-complexity passwords,” Lanning said.

As a victim of hacking, Latek said she believes the new password procedures will benefit both students and staff in the long-run, but she recognizes that it may feel tedious to change her password with such frequency.

Gravel said he understands change of any kind can be difficult and frustrations with reset passwords may arise.

“However, our team is here to work with individuals,” said Gravel. “I think that [our] route to help them will be well-received.”