Most institutions use an identity provider (e.g. Azure Active Directory) to manage and authenticate users. Such a configuration allows you to create users in Learn, where they may set their own passwords. You can set length and complexity requirements for these passwords. When you use the default authentication provider, it will improve the security stance of Learn environments.

Password policies and logging when users change their passwords

You can set a password length rule between 8 and 32 characters. The default is 12 characters. You can individually set the proper use of upper- and lower-case letters, numbers, and special characters.

The authentication logs capture password change events. This only applies to Learn password changes, not to password changes in an identity provider. There are three event types:

  • A user changed their own password.
  • An administrator or other privileged user changed another user’s password. The event details will show who changed the password.
  • A user reset their password using the forgotten password feature in Learn.

A user changes their password in Original Experience:

A user changes their password in Original Experience

A user changes their password when Base Navigation is active:

A user changes their password when Base Navigation is enabled

Review the configuration when users see the password reset option in Learn. The settings appear in the Administrator Panel on a new Password Settings page.

Only a full System Administrator can access the configuration page. The default settings enforce a minimum of one numeric and one special character, and the minimum length set to 12.

Configure system roles in a way users don’t see a Learn’s password reset option when using an identity provider (e.g. single sign-on).

  • Reinforced password policies apply when a user is changing their own password. This includes using the password reset tool.
  • Password policies aren’t enforced when a support user changes the password of another user.
  • Password policies aren’t enforced when using SIS Framework, Building Blocks, or REST APIs to change passwords

Configuration of password length and complexity policies:

An administrator configures the password length and complexity policies

 

Authentication logs include Password Change events:

Authentication logs include Password Change events

Password age, re-use, and expiration

When using an identity provider (e.g. Azure Active Directory) to manage and authenticate users, your users may set their own passwords. To support security requirements for passwords, your system can ask your users to:

  • Change their passwords after a certain number of days have passed since their last password change. After expiration, users can log in with their old password, but the system ask them to change it immediately before allow them to continue.
    A user is prompted create a new password after password expiration
  • Wait a span of time between password changes. When a user tries to change a password before that password's minimum age has elapsed, the system informs them that they can't change the password. We recommend directing them to contact their helpdesk.
    A user is informed when a password cannot be changed because of the password Minimum Age Policy Violation
  • Prevent users from re-using previous passwords.
    A user is informed that previous passwords may not be reused

If necessary, you can ask your users to change their passwords to meet password policies updates, instead of waiting for an automatic expiration:

An administrator configures the Password Age and History policies
 
  • The “Expire Password” option appears in the Administrator Panel in the Users page.
  • Select one or several users at a time. Full System Administrators can use this new feature by default. You may grant this privilege to other roles if desired: “Administrator Panel (Users) > Users > Edit > Expire Password”.
  • If you choose to expire a user’s password and the Minimum Password Age Policy is 'on', your users won't have to wait to change their password.

 

An administrator expires users’ passwords

For security measures, passwords are no longer stored in archive packages.

 

Download an archive package:

An administrator downloads archive package

Password length and complexity rules

When changing passwords for another user, make sure you meet password length and complexity rules.

You can determine the passwords' age and reuse policies. These settings appear in the Administrator Panel on the Password Settings page. Only a full System Administrator can access the configuration page. The default settings enforce the following policies:

  • Password Age Policy: This option is off by default. The following rules may be turned on independently:
    • The minimum age default value is 24 hours. Define a value between 1 and 720 hours.
      New users will not have to wait for this period to change their passwords the first time.
    • The maximum age default value is 90 days. Define a value between 29 and 360 days.
  • Password History Policy: This option is off by default. If turned on, you can specify the number of recently used passwords for the system to check.
    • The default value is 10. Define a value between 1 and 24.

 

Restrictions

Use of personal information

User accounts created in Learn may allow users to set their own passwords. To bolster security the use of personal information in user passwords is restricted.

Personal information includes fields such as: first name, middle name, last name, username, and student ID. Your users can't incorporate this information when they create a password. The system will notify users if they attempt to use profile information as part of their password.

User is informed about not using profile information when changing a password

You should also avoid using personal information when setting a password for another user.

 

Use of passwords exposed in a data breach

Your institution can also restrict passwords exposed in a data breach. It's an important security measure because passwords like "123456," "qwerty," or "password123" are usually targeted by hackers.

When one of your users tries to change their password within the LMS, Learn checks it against a global database of breached passwords. If the chosen password appears in the database, the system notifies the user and requires them to select a different password. This ensures strong and secure passwords for all users, and minimizes unauthorized access to their accounts.

A user is informed that their proposed password was exposed in a security breach

The administrator tools configuration for the exposed password protection policy looks like this:

An administrator configures the exposed password protection policy

For most institutions, this feature is off by default. You must turn it on manually to use it.
For United States government clients in FedRAMP boundaries the feature is on by default. If your compliance boundary changes, you should confirm your configuration.