He purposely went out of his way to crack a password for the purpose of gaining unauthorized access to a system that wasn't his.
That's exactly the kind of thing the CFAA was created for.
I agree with the GP that he was harmless, and doesn't deserve anything terribly serious as punishment. But what he did is a lot more than using simple HTML injection to add a rick roll to something.
It sounds like what he did had exactly the same effect as "using simple HTML injection to add a rick roll to something".
'But he achieved it using leet hacker skills' should not be a factor in determining the nature of the charge or potential sentence. That's along the lines of making a big deal out of someone using a "Subversion" system to access and maintain code.
By "using simple HTML injection" I'm thinking of a form where they don't sanitize input so you could put a <video> tag in the 'name' field and suddenly the video would appear on the page.
Getting access to the administrator account is pretty different.
Not for a high school student. School networks tend to be very insecure, and the students tend to see them as just another resource in their education.
> He didn't hurt anyone or even mess with their files in a naughty way.
I've had people deface sites. It's stressful, upsetting, and a lot of work. You can't really trust a compromised server, and school IT is fairly unlikely to have great processes for it.
> I was so happy to get away from school and this kind of bullshit.
The real world isn't likely to look any more fondly on this sort of behavior.
Yes it is. He didn't hurt anyone or even mess with their files in a naughty way. I was so happy to get away from school and this kind of bullshit.