Most institutions use an identity provider (e.g. Azure Active Directory) to manage and authenticate users. Such a configuration allows you to create users in Learn, where they may set their own passwords. You can set length and complexity requirements for these passwords. When you use the default authentication provider, it will improve the security stance of Learn environments.
- Password policies and logging when users change their passwords
- Password age, re-use, and expiration
- Password length and complexity rules
- Restrictions: Use of personal information and passwords exposed in a data breach
Password policies and logging when users change their passwords
You can set a password length rule between 8 and 32 characters. The default is 12 characters. You can individually set the proper use of upper- and lower-case letters, numbers, and special characters.
The authentication logs capture password change events. This only applies to Learn password changes, not to password changes in an identity provider. There are three event types:
- A user changed their own password.
- An administrator or other privileged user changed another user’s password. The event details will show who changed the password.
- A user reset their password using the forgotten password feature in Learn.
A user changes their password in Original Experience:
A user changes their password when Base Navigation is active:
Review the configuration when users see the password reset option in Learn. The settings appear in the Administrator Panel on a new Password Settings page.
Only a full System Administrator can access the configuration page. The default settings enforce a minimum of one numeric and one special character, and the minimum length set to 12.
Configure system roles in a way users don’t see a Learn’s password reset option when using an identity provider (e.g. single sign-on).
- Reinforced password policies apply when a user is changing their own password. This includes using the password reset tool.
- Password policies aren’t enforced when a support user changes the password of another user.
- Password policies aren’t enforced when using SIS Framework, Building Blocks, or REST APIs to change passwords
Configuration of password length and complexity policies:
Authentication logs include Password Change events:
Password age, re-use, and expiration
When using an identity provider (e.g. Azure Active Directory) to manage and authenticate users, your users may set their own passwords. To support security requirements for passwords, your system can ask your users to:
- Change their passwords after a certain number of days have passed since their last password change. After expiration, users can log in with their old password, but the system ask them to change it immediately before allow them to continue.
- Wait a span of time between password changes. When a user tries to change a password before that password's minimum age has elapsed, the system informs them that they can't change the password. We recommend directing them to contact their helpdesk.
- Prevent users from re-using previous passwords.
If necessary, you can ask your users to change their passwords to meet password policies updates, instead of waiting for an automatic expiration:
- The “Expire Password” option appears in the Administrator Panel in the Users page.
- Select one or several users at a time. Full System Administrators can use this new feature by default. You may grant this privilege to other roles if desired: “Administrator Panel (Users) > Users > Edit > Expire Password”.
- If you choose to expire a user’s password and the Minimum Password Age Policy is 'on', your users won't have to wait to change their password.
For security measures, passwords are no longer stored in archive packages.
Download an archive package:
Password length and complexity rules
When changing passwords for another user, make sure you meet password length and complexity rules.
You can determine the passwords' age and reuse policies. These settings appear in the Administrator Panel on the Password Settings page. Only a full System Administrator can access the configuration page. The default settings enforce the following policies:
- Password Age Policy: This option is off by default. The following rules may be turned on independently:
- The minimum age default value is 24 hours. Define a value between 1 and 720 hours.
New users will not have to wait for this period to change their passwords the first time. - The maximum age default value is 90 days. Define a value between 29 and 360 days.
- The minimum age default value is 24 hours. Define a value between 1 and 720 hours.
- Password History Policy: This option is off by default. If turned on, you can specify the number of recently used passwords for the system to check.
- The default value is 10. Define a value between 1 and 24.
Restrictions
Use of personal information
User accounts created in Learn may allow users to set their own passwords. To bolster security the use of personal information in user passwords is restricted.
Personal information includes fields such as: first name, middle name, last name, username, and student ID. Your users can't incorporate this information when they create a password. The system will notify users if they attempt to use profile information as part of their password.
You should also avoid using personal information when setting a password for another user.
Use of passwords exposed in a data breach
Your institution can also restrict passwords exposed in a data breach. It's an important security measure because passwords like "123456," "qwerty," or "password123" are usually targeted by hackers.
When one of your users tries to change their password within the LMS, Learn checks it against a global database of breached passwords. If the chosen password appears in the database, the system notifies the user and requires them to select a different password. This ensures strong and secure passwords for all users, and minimizes unauthorized access to their accounts.
The administrator tools configuration for the exposed password protection policy looks like this:
For most institutions, this feature is off by default. You must turn it on manually to use it.
For United States government clients in FedRAMP boundaries the feature is on by default. If your compliance boundary changes, you should confirm your configuration.