Blackboard Learn ships with an internal authenticator. This feature is oftentimes used by institutions that have not fully integrated with a third party authenticator such as LDAP or as a secondary authenticator for external users such as visiting faculty or parents.
Customers using a third party authenticator are excluded by this security control since user passwords are stored on an external system. However, the default system administrator account is in scope of this security control.
User passwords are stored by default with the salted SHA-512 standard from the SHA-2 family as defined in the National Institute for Standards and Technology (NIST) Special Publication 180-4 Secure Hash Standard. Blackboard Learn adds the best practice of "salting" using a secure random seed of HMAC-SHA-512. The practice of salting is important because it requires greater computing requirements to crack a password, in the event user password hashes are exposed to unauthorized actors.
Blackboard Learn also supports an alternative password hashing methodology that uses the Key Derivation Function (PBKDF2) Approach. PBKDF2 is part of a family of "adaptive hashes" that have gained popularity amongst the security industry for use with hashing passwords. This approach has a "slowness" factor about them that help provide resistance from password cracking. PBKDF2 is noted by the National Institute for Standards and Technology (NIST) Special Publication 800-132 Recommendation for Password-based Key Derivation.
Authentication attempts are logged into the standardized security log. Password storage scheme configurations and user password migrations to a new password storage scheme are also logged to the standardized security log.
Conditions for internal authenticator Secure User Password Storage
New passwords
New passwords automatically use the new user password storage scheme by default as part of a secure design principle.
Pre-existing passwords
Pre-existing passwords will automatically use the new user password storage scheme once the user logs in. Blackboard Learn cannot automatically migrate user passwords since passwords under the previous user password storage scheme were hashed. A new password hash can only be generated when the user logs in. Once the user logs in successfully and the password matches the previous user password hash value, the password is then automatically and seamlessly migrated to the new user password storage scheme. No user action is required. Once a password is successfully migrated, it will no longer be migrated again unless the default secure user password storage scheme changes to require it.
A security event is generated when a pre-existing user password successfully migrates. See the Security Audit Logging section.
How passwords are stored
Passwords related to the internal authenticator are stored under the following format.
Format
{<Algorithm Family>}{}<Salt Algorithm>:<Hash Algorithm>:<Number of Hash Iterations>:<Salt Value>:<Password Hash Value>
Example password value using the default secure user password storage scheme
{SSHA}HmacSHA512:SHA-512:3000:YHQ5mxGVxMwfsygj4WW1RVrAbciIVr7mGNcYiNq/zYTWASrUGEiGR87a2dRGLNc3PF4xnUxZPBe8TOg6T7lx8A==:zMb2jM6WoXJdfhG4O9uSBmht8tUM2oW+FOwiawqAqw/tYZMuggdeEyeXROdVrc4gwJb9u+2PjtEwvs5ikQWDPg==
How to determine when pre-existing passwords have been migrated to the default Secure User Password Storage scheme
Pre-existing passwords under the legacy password storage scheme were stored in a legacy format. To re-iterate, new users or new installations of Blackboard Learn by default will use the secure user password storage scheme so no password hashes in the legacy format will appear.
Example password value using the legacy user password storage scheme
5EA9C3DB04B1C26A85FE7E541E7B3CD9
Example password value using the secure user password storage scheme
{SSHA}HmacSHA512:SHA-512:3000:YHQ5mxGVxMwfsygj4WW1RVrAbciIVr7mGNcYiNq/zYTWASrUGEiGR87a2dRGLNc3PF4xnUxZPBe8TOg6T7lx8A==:zMb2jM6WoXJdfhG4O9uSBmht8tUM2oW+FOwiawqAqw/tYZMuggdeEyeXROdVrc4gwJb9u+2PjtEwvs5ikQWDPg==
Secure User Password Storage locations
Database
Internal authenticator user passwords are stored in the database USERS table.
No other passwords in the database are related to this Secure User Password Storage feature since this feature only covers credentials related to user passwords.
Blackboard configuration file
The following parameters from the bb-config.properties file are covered by the Secure User Password Storage scheme immediately upon upgrade or new installation.
Note: System Administrators that previously used the configuration file as a location to record and reference passwords will no longer be able to do this since passwords will now be securely stored at rest.
No other configuration file changes are related to this Secure User Password Storage feature since this feature only covers credentials related to user passwords.
- antargs.default.users.administrator.password
- antargs.default.users.guest.password
- antargs.default.users.integration.password
- antargs.default.users.rootadmin.password
For customers upgrading from a version of Blackboard Learn prior to Release 9.1 Service Pack 12, the following parameters have been removed from the bb-config.properties file:
- antargs.default.users.administrator.password.md5
- antargs.default.users.guest.password.md5
- antargs.default.users.integration.password.md5
- antargs.default.users.rootadmin.password.md5
Database changes to support Secure User Password Storage
Secure User Password Storage uses pre-existing database tables. The password field has been expanded to accommodate the larger password hashes.
Background jobs
There are no background Jobs associated with this security control.
Pre-existing user passwords are automatically migrated to the secure user password storage scheme upon successful authentication against the previous user password storage scheme.
New passwords automatically user the default secure user password storage scheme.
Security audit logging
Blackboard recommends that you monitor activity related to this security control.
Log events are part of Standard Security Event Codes. To learn more, see Audit and Accountability.
Log location
As of release SP 14, the Blackboard_Home/logs/bb-security-authentication-log.txt security log is deprecated and Event Code 28 is located in the Central Security Log.
Before SP 14:
Blackboard_Home/logs/bb-security-authentication-log.txt
SP 14 and later:
Blackboard_Home/logs/bb-security-log.txt
Event codes
A severity of 0 is informational, 2 is a low alert, and 8 is a high alert.
| Event Code | Severity | Definition |
|---|---|---|
| 28 | 0 | User Password Migrated to Default Secure User Password Storage Scheme. |
Example log entry
timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.120113.0|evt_code=28|evt_name=user password storage migration|sev=0|cat=authentication|outcome=success|dhost=appsec-demo.pd.local|src_ip=10.100.100.100|suid=13286|suser=securitystudent01|session_id=6|msg=User password storage hash migrated successfully.|http_useragent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22|act= |request=/webapps/login/
