Blackbaud NetCommunity 7.2 SP8 Password Security Update Preview And Actions
In Service Pack 6 we improved the Password Reset experience for users by implementing a self-service password reset capability and now in Phase II we are further enhancing and securing how user and passwords are managed by Administrators of the client sites.
In Service Pack 6 we improved the Password Reset experience for users by implementing a self-service password reset capability accessible from the User Login and Change User ID/Password parts. Web site users are no longer redirected to the Login.aspx screen for reset process and the experience remains consistent. We also made the User Account linked email address mandatory in order to operate as the recipient address for user account email changes and Multifactor Authentication security codes.
In Phase II we are further enhancing and securing how user and passwords are managed by Administrators of the client sites.
Information and Call to Action
In upcoming Service Pack 8 we have further secured how passwords are handled by providing an action button for User Administrators to send a Password Reset Link email rather than creating/maintaining passwords for users manually.
In order to support this change, we have implemented a conditional merge field section on the User Login part that will only be used when a user is added by an Administrator. This means that the same part can be used when a User Administrator sends the Password Reset Link email as well as when users that reset their password via the site. NOTE: For backwards compatibility for user self-service the original Password Reset Link is retained.
The User Login part used to send the Password Reset Email will be determined by the page configured for each Site in Administration>Sites & Settings> Registration and login options, otherwise the Default Site configuration is used.
Additionally, where a user has attempted to log in via Login.aspx, they too will be presented with the ability to self-service their password reset by entering their account linked email address to which a Password Reset email will be sent.
If you utilize the RecordNewUserHandler endpoint, please note that for SP 8 Service Pack we have retained the Password fields and will continue to accept data into these, however they will not be used as newly registered users are directed to reset their passwords via the New User Registration Email that is automatically triggered.
We will be removing the Password fields from this endpoint entirely in a future Service Pack and strongly advise that any customizations using RecordNewUserHandler are updated immediately after SP 8 to no longer use these fields.
As a result of these upcoming changes, you should take the following actions:
- Ensure you have at least one internal Blackbaud Internet Solutions user that has an email address associated with their account.
- On release, update your User Login part New User Registration Email templates to include the new conditional User Administration User Password Reset Link merge field and the conditional Self Registration Password Reset merge field to allow for multi-use. At a minimum update the template used by the Default Site.
- Ensure that your User Login parts Password Reset Email templates have the Password reset links present.
When can we expect the NetCommunity SP8 upgrade for hosted clients?