Password age, re-use, and expiration policies – 3900.60
Blackboard Learn SaaS
Ultra Experience, Original Experience
Impact: All users who are allowed to reset their passwords in Learn
Most institutions use an identity provider (e.g. Azure Active Directory) to manage and authenticate users. There are cases when administrators create users in Learn. These users may set their own passwords in Learn. In support of security requirements for passwords, users may be prompted to:
- Change their passwords after a certain number of days have elapsed since their last password change. After expiry, users can log in with their old password, but are prompted to change it immediately before continuing.
- Wait a span of time between password changes. When a user tries to change a password before a certain span of time, they are informed that they cannot change the password. We recommend contacting the helpdesk in this case.
- Avoid re-using previous passwords.
Image 1. A user is prompted create a new password after password expiration
Image 2. A user is informed when a password cannot be changed because of the password Minimum Age Policy Violation
Image 3. A user is informed that previous passwords may not be reused
Image 4. An administrator configures the Password Age and History policies
If necessary, an administrator can require users to change their passwords to meet password policies updates instead of waiting for an automatic expiry. The “Expire Password” option appears in the Administrator Panel on Users page. Select one or multiple users at a time. Full System Administrators can use this new feature by default. Administrators may grant this privilege to other roles if desired: “Administrator Panel (Users) > Users > Edit > Expire Password”. If an administrator chooses to expire a user’s password and the Minimum Password Age Policy is turned on, users will not have to wait to change their password.
Image 5. An administrator expires users’ passwords
Finally, for security measures, passwords are no longer stored in archive packages.
Image 6. An administrator downloads archive package
For administrators: For administrators: When changing passwords for another users, ensure you meet password length and complexity rules.
Administrators can determine the age and reuse policies. These new settings appear in the Administrator Panel on the Password Settings page. Only a full System Administrator can access the configuration page. The default settings enforce the following policies:
- Password Age Policy: This option is off by default. The following rules may be turned on independently:
- The minimum age default value is 24 hours. Define a value between 1 and 720 hours. New users will not have to wait for this period to change their passwords the first time.
- The maximum age default value is 90 days. Define a value between 29 and 360 days.
- Password History Policy: This option is off by default. If turned on, administrators can specify the number of recently used passwords for the system to check. The default value is 10. Define a value between 1 and 24.