Secure for Summer: “Legacy” Passwords
Published
Let's make sure that your school is secure for the summer! Blackbaud regularly examines its security tools and best practices, so here's the most up to date information and methods for keeping your system is secure.
As part of Blackbaud’s commitment to serve, we regularly examine our security tools and best practices. We work with regulators and industry experts, review logs, conduct security testing, and more. As part of this ongoing effort, we determined we need to make a change and require users to take some simple action.
Since many users do not log in during summer, this update forces users whose passwords may be easily compromised to switch to stronger passwords soon. Thus, users and schools will be more secure during summer break.
Users with “legacy” passwords are affected by this update.
Tip: Users who log in with Blackbaud ID (BBID) do not use “legacy” passwords and aren’t affected by this update. Although we encourage schools to require users to login with BBID or an identity provider that can single sign on (SSO) to BBID (such as Active Directory, Google Gmail), this change doesn’t force schools to immediately migrate users to BBID. For those logins, passwords must meet the strong parameters required by BBID or the external authentication.
The email notification includes instructions for users who maybe not have expected their password to change. If a user’s “legacy” password changes and they didn't request the reset, the user should either use the included link to reset their password or contact the school for assistance.
If you believe a user’s password might be compromised, this is a good opportunity to remind them of best practices for security.
To customize the email notification, a communication manager or platform manager should go to Core, Communications, Notifications, Notifications, and select the Password Updated template from the User Management category.
For example, if yours school previously customized the text on your school’s login screen, edit the notification so that “Forget login or First time logging in” matches your customizations.
By default, “legacy” passwords must:
Users whose “legacy” passwords don’t meet the requirements will be prompted to reset their passwords.
Many online applications prompt users to reset their password during login. Thus, we don’t expect the prompt severely distress most users.
However, if your school anticipates many people will be prompted to update their passwords, we encourage you to prepare your community for the change.
To make passwords more secure, require more complex passwords.
Do this in Core, Security, Authentication settings, Password parameters.
To implement more secure password requirements before April 20th, update the password parameters to match the upcoming changes. For the All School (All Users) role, increase the frequency of password changes to 1 - 365 and set password reuse to at least 6.
Users are affected when you Save the parameters, so choose your timing wisely.
When password parameters vary by role, users who have multiple security roles must meet the strongest combination of password requirements.
See the Higher Ed online help
Since many users do not log in during summer, this update forces users whose passwords may be easily compromised to switch to stronger passwords soon. Thus, users and schools will be more secure during summer break.
Users with “legacy” passwords are affected by this update.
Tip: Users who log in with Blackbaud ID (BBID) do not use “legacy” passwords and aren’t affected by this update. Although we encourage schools to require users to login with BBID or an identity provider that can single sign on (SSO) to BBID (such as Active Directory, Google Gmail), this change doesn’t force schools to immediately migrate users to BBID. For those logins, passwords must meet the strong parameters required by BBID or the external authentication.
Part 1: Password Updated Notification
We completed the first part of the changes on March 16. With that release, we added an email notification that informs users whenever their “legacy” password is updated.The email notification includes instructions for users who maybe not have expected their password to change. If a user’s “legacy” password changes and they didn't request the reset, the user should either use the included link to reset their password or contact the school for assistance.
If you believe a user’s password might be compromised, this is a good opportunity to remind them of best practices for security.
To customize the email notification, a communication manager or platform manager should go to Core, Communications, Notifications, Notifications, and select the Password Updated template from the User Management category.
For example, if yours school previously customized the text on your school’s login screen, edit the notification so that “Forget login or First time logging in” matches your customizations.
Part 2: Enforce Stronger Password Requirements
On April 20, we’ll enforce stronger minimum parameters for “legacy” passwords for security purposes.By default, “legacy” passwords must:
- be at least 8 characters long,
- include at least 1 number,
- change every 365 days,
- and be different from the user's previous 6 passwords.
Users whose “legacy” passwords don’t meet the requirements will be prompted to reset their passwords.
Impact to Your School
If your school previously allowed “legacy” passwords to never expire or allowed users to reuse recent passwords, those users will be prompted to update their passwords when they log in to Education Management on April 20, 2021.Many online applications prompt users to reset their password during login. Thus, we don’t expect the prompt severely distress most users.
However, if your school anticipates many people will be prompted to update their passwords, we encourage you to prepare your community for the change.
Best Practices
In addition to the required minimum defaults, we recommend:- Schools require users to update their passwords every 90 days.
- When users change their passwords, they should avoid easily predictable patterns. For example, avoid Turtle01, Turtle02, Turtle03, etc.
- Users should also avoid using the same credentials on multiple websites. Single sign on (SSO) integrations are better.
Early Birds & More Security
Platform managers can establish additional password parameters for "legacy" passwords, based on user roles and determine when notifications about updating passwords are sent.To make passwords more secure, require more complex passwords.
Do this in Core, Security, Authentication settings, Password parameters.
To implement more secure password requirements before April 20th, update the password parameters to match the upcoming changes. For the All School (All Users) role, increase the frequency of password changes to 1 - 365 and set password reuse to at least 6.
Users are affected when you Save the parameters, so choose your timing wisely.
When password parameters vary by role, users who have multiple security roles must meet the strongest combination of password requirements.
Learn More
See the discussion in the K-12 User Community.See the Higher Ed online help
News
Blackbaud Higher Education Solutions™ Announcements
04/13/2021 9:00am EDT
Leave a Comment