Security
Password policies and logging when users change their passwords – 3900.54.0
Blackboard Learn SaaS, Blackboard Learn 9.1
Ultra Experience, Original Experience
Ultra Course View, Original Course View
Impact: Administrators
Most institutions use an identity provider (e.g. Azure Active Directory) to manage and authenticate users. Sometimes, some users are created in Learn. These users may be allowed to set their own passwords in Learn. Now, administrators can determine length and complexity requirements for these passwords. This can improve the security stance of Learn environments when the default authentication provider is used.
The administrator can set a password length requirement between 8 and 32 characters. The default is 12 characters. The administrator can individually set whether upper- and lower-case letters, numbers, and special characters are required.
The authentication logs now capture password change events. This only applies to Learn password changes, not to password changes in an identity provider. There are three event types:
- A user changed their own password.
- An administrator or other privileged user changed another user’s password. The event details will show who changed the password.
- A user reset their password using the forgotten password feature in Learn.
Image 1. A user changes their password in Original Experience.
Image 2. A user changes their password when Base Navigation is enabled.
For administrators: We recommend administrators review this configuration when users see the password reset option in Learn. The settings appear in the Administrator Panel on a new Password Settings page. Only a full System Administrator can access the configuration page. The default settings enforce the following policies: a minimum of one numeric and one special character, and the minimum length is set to 12. Administrators may also wish to review that system roles are configured correctly so users don’t see Learn’s password reset option when an identity provider is used (single sign-on). In this release, policies are enforced when a user is changing their own password. This includes when using the password reset tool. Password policies aren’t enforced when a support user changes the password of another user. Password policies aren’t enforced when using SIS Framework, Building Blocks, or REST APIs to change passwords.
Image 3. An administrator configures the password length and complexity policies.
Image 4. Authentication logs include Password Change events.