Received the news in the update newsletter regarding forcing all users to update their legacy password and/or move to Blackbaud ID>
Question - Last word was this would not be forced until BBID was ready (meaning had our school's branding). Candidates and Parents do not know who Blackbaud is and we want to keep their attention on us to get them to apply and enroll. When will the branding for BBID be ready?
I knew that the April 20th date does not require a move to BBID BUT, we will be moving our incoming parents to BBID the 3rd week of April, so it would be great if you could bump back the new login parameters to summer so our new parents do not have to get 2 separate emails from us, explaining the new parameters and then asking them to BBID authenticate.
Just simplifies a process already complicated for new parents with all the information we send their way (school forms, new student email address, a laundry list of new things for them).
Exactly Coco, why have to make Parents transition twice if we can do it in one move. We are all working to get our NEW parents connected at this time of year. Changing these dates at the drop of a hat is killing us as we make plans and then have to pivot to change those again.
For this change, security is a priority. Being prompted during login to update passwords is a common practice with many online applications. So we don't expect the prompt itself to be too startling for most users.
Sign in and update password. School branding and custom text will appear.
Many users don't log in during the summer. If we waited until summer to implement this change and require stronger passwords, then users who don't log in would not change their passwords until after summer. Their weaker passwords would remain in place too long.
Thus, for security reasons, we have to make this change before the end of the school year. Making this change sooner rather than later helps us ensure that users whose weaker passwords may be more easily compromised will instead be forced to use more secure passwords. Users and schools will be more protected during the summer break.
It is not our intention to cause additional stress for schools and their communities of parents and students. And we greatly appreciate your migration to Blackbaud ID for those of you working hard to make that transition soon.
Since we know we must balance security needs with community needs, we wanted to give schools a heads up that this change is coming. Although we can't make the change later, schools can make the change earlier if a specific earlier date would be more convenient.
Can you confirm or update the statements from the now locked thread Legacy password policy updates - Angry parents - Blackbaud Community (never had a thread locked before) that we cannot choose to maintain the 0 option or unenforced. We have to change to a maximum of 365. Further once this change happens anyone with a password of more than that age will immediately require it to be changed on next login.
As mentioned in today's blog post and in a comment earlier in this thread, the timing of this change is necessary due to security for the summer.
The older studies about not changing passwords mention a phenomenon where users sometimes choose easily guessed patterns.
Thus, an additional recommendation (which we're including in this week's release letter and blog post) is to avoid easily predictable patterns.
For example, avoid using this series of 6 passwords changed every 90 days:
Turtle01
Turtle02
Turtle03
Turtle04
Turtle05
Turtle06
Since that pattern is easily recognized and easily guessed.
When users change passwords, they should be encouraged to choose strong passwords that are not related in predictable ways to their previous passwords.
Agreed on this - frequent password changes (every 90 days !?) is definitely not best practice unless paired with a password manager (even if this article is five years old). Forcing users to frequently change passwords that they have to remember and can't be based on a similar pattern is just inviting mental chaos and constant password resets. Of course if they just change it six times they can re-use it again - woohoo. [not serious ... just noticed that will happen]
Do we have the list of BBID password requirements, so we know what our non-SSO folks would be held to? Or is it the same as the legacy list?
As mentioned in today's blog post and in a comment earlier in this thread, the timing of this change is necessary due to security for the summer.
Can you link to this new blog, not sure which one you are referencing? Is something happening this summer that will affect security? I don't understand the references to "summer" and security? Can you confirm that we are unable to use the 0 setting? It is still shown in the options will it not actually work?
Is there a way to run an advanced list that will report on the last password change date. This will allow us to understand the impact on our community better.
It's the Tips and Tricks blog in this user community. You can access the Tips and Tricks blog from the top of this user community forum navigation.
You can subscribe to Tips and Tricks to get notified when a new entry is posted.
The blog with "hub" in the URL is more public facing than the user community one, so they tend to have slightly different topics. The Tips and Tricks one is more often written by technical writers.
Hi Brian, Last password change is a filter and an output column on the SKY User list in Core. Core>Users> User list. I can run this list and export to excel, then filter on who has not changed their password in the last year. We all use legacy passwords. We are trying to get our faculty and students to update their passwords this week so when April 20th hits, it will just be parents/parents of candidates/alums/trustees, etc.. I agree this is very poor timing and would much rather allow our community to end the year with the same password if desired. It's a massive ask for our tech and communications departments to navigate all of this right now.
Can anyone confirm the fact that the setting of 0 to disable password expiration shown in the options currently will no longer work after April 20? If so can the screen be updated to remove the description of the option? What is shown in screenshot of this post https://community.blackbaud.com/forums/viewtopic/296/54530#p212812
[not serious ... just noticed that will happen]
1
4
