What's New In Altru 5.26

NIST recommends passwords do not change. But I understand the concern about weak/reused passwords and there needing to be a day zero for new password requirements. Honestly, if you open up authentication for patrons to use social authentication methods like Facebook, Google, Microsoft, etc… we'd see a better experience customers, patrons, and engineering. And maybe a template email we can use in Altru to inform patrons about the change. :)

Dear Altru Customers,

First and foremost we want to thank all of you for providing this incredibly valuable feedback. We greatly value your feedback and partnership and are writing to let you know that we have heard your concerns regarding some of the security updates in the latest Altru 5.26 release. While password security is an important priority for both us and you, we listened to your concerns and have revisited the Web Form password expiration timing. We will be able to extend the expiration to 365 days (once per year) while still ensuring we meet rigorous security and privacy standards. We hope this will improve the online experience for your members and patrons.

With that in mind we have made the decision to pause our rollout of the Altru 5.26 release so we can make this happen. Our team will be in touch soon with information around revised release timing for Altru 5.26 including an update for customers that have already received the Altru 5.26 update.

In addition, we have also noted key feedback regarding areas of the password reset user experience that could be improved for simplicity and clarity. We have captured that feedback and will be incorporating additional updates to that user experience in our next Altru release, Altru 5.27 which is slated for later this Fall.

Please know that we greatly value your partnership and feedback and will continue to improve and evolve the Altru solution together!

Finally, please keep an eye out for a follow-up email communication in the coming days.

If there is any way to stop this “upgrade”, please do that. Like others have said, this will only decrease our online registrations and call for more staff time. Altru webforms already user UN-friendly. Why are we requiring more time on the constituents part by adding this?

What do users need to protect every 90 days? It's not like they have created a portal for members to update their own information, view transactions or store a payment method. Seems like that would be something that would be very useful to our constituents…but that's just my opinion.

This is a serious question - does Blackbaud ever survey its customers to come up with what they will spend their time “upgrading”? Like, is there a large group of orgs that have asked for these (and other) “upgrades”? I ask because if they do, I have not seen them and would like to added to that list to let Blackbaud know what we ACTUALLY need. (I'm thinking something other than the idea bank.)

Another echo - PLEASE DO NOT DO THIS!!

We chose Altru for the ability to sell programs, memberships, and donations on line. Many of our customers only show transactions a few times per year, so they will have to change their password every time they want to make a purchase on line. If the online purchase is not quick and easy, our customers will pick up the phone or just skip it. I am afraid this change will reduce program sign-ups, memberships, and donations for us.

I have to echo the thoughts expressed here - PLEASE DO NOT DO THIS!! It is not necessary and it will put a burden on our staff and especially our constituents.

As a Historical Society, MANY of our constituents are elderly and MANY only log in once a year to renew their membership; others maybe every few months to buy a ticket to a program or museum admission, or make a donation. We have only 2 people on staff - at most - that could handle the significant mess this would cause, and they already have full time, non-Altru-related jobs. Altru is supposed to SUPPORT our non-profit by enhancing the constituent experience. This does the exact opposite.

“to increase security for users….” What needs to be secure in this case? Tell us exactly why you think this is necessary. Please be specific, if you are insisting on making a change that will negatively affect every one of your Altru customers.

A password reset for all our members every 90 days would be a strong disincentive for our users to abandon the process of continuing with their purchase. Almost all ecommerce sites do not require this level of interruption to their customer experience, even banks. Better security could be obtained for those customers with strong security concerns with a the red/orange/green bar on when the users initially design their password regarding the password length and complexity on whether a password is determined to be a weak/strong/very strong password as well as the eye icon to let users view the password they typed in before submitting it.

A password is only one aspect of security measures for ecommerce sites of which only affects the one user of that account. Increased security for all users would be better focused on: top-of-the-line SSL certificate, regular SQL checks, website application firewalls, etc. Strengthened password security for your employees and the organizations who utilize your system might be useful, but not for the end-user customer of those organizations which would result in deterring those customers from using the organizations Blackbaud serves.

This “upgrade” is sure to waste hundreds of staff hours and directly affect ticket sales for many Blackbaud users. This is just another shocking example of Blackbaud’s apparent blindness to the audience they claim to serve; our organization, like many other nonprofits, has less than 5 people answering calls and emails from our visitors. Our 20,000+ members will all receive messages to reset their passwords and our staff will be forced to reconcile with the hundreds that already have difficulty navigating the purchase path. Because nearly all of our members will receive this first messages following the update, in 90 days the same large group will receive it again. And again following every 90 days. We will have a wave of confused users every 90 days. Worse, like Susan O'Sullivan mentions we are sure to lose potential customers by adding ANOTHER step to the already difficult purchase process. In a market where customers are used to 1-click purchasing this is completely tone-deaf to user needs.

Blackbaud’s instructions (https://kb.blackbaud.com/knowledgebase/articles/Article/199704) tell users to click the “forgot your password” link when the message states “Your password has expired and must be changed”. Why would users click the forgot password link when you are telling them to change it? Is anyone at Blackbaud testing for usability or asking their clients what THEIR customers needs?

Blackbaud gives no explanation beyond a need for “privacy”. What is that supposed to mean? No other large ecommerce site requires this. Please justify this update or listen to the people who are telling you this is bad for business.

There are virtually no other commerce sites that require a customer to change their password every 90 days. Not even banks have this requirement. We will lose customers with the implementation and ask that Blackbaud please reconsider this plan. Just like every other arts and cultural institution, our customers visit a few times a year, which means they will need to create a new password EVERY TIME they try to log in and purchase tickets, reserve member tickets, renew their membership or make a donation. Why would Blackbaud make this change with less than 30 days notice to make an already difficult online experience nearly impossible now?

The 90-day password expiration would be a major inconvenience for our staff and our members. Our members frequently do not log into web-forms for months at a time, and this would require them to create a new login nearly every time.

I agree that this will make it even more difficult for our customers. 100% agree with Bill on this

Yikes! This will create a lot of headaches for our guests who already can't remember their login information as it is :(

I totally agree with Bill. The added security would make sense IF our members could update their address.

This is the second “enhancement” nobody asked for in as many versions of Altru. Adding more hoops for members to go through in order to obtain member pricing for events will only negatively impact member retention for Altru client orgs. As another commenter stated, if this change came with the much-needed ability for web form users to update their contact information online, it would be justified. Without that ability, password expiration is slightly overkill and MFA definitely is.

Please consider delaying this “enhancement” or allowing Altru clients to opt out of both the password expiration rule and the MFA option.

Yes please, let's make more complicated to log in…it already a struggle for most.