On March 5th, the K12 'ON" products will begin enforcing more stringent password parameters for all users. Passwords will now be required to meet the following minimum criteria:
- be at least 8 characters long
- include at least 1 number
- be different from the user's previous 3 passwords
After 6:00 am EST on March 5th, if your password does not meet the new requirements, you will be prompted to reset your password the first time you log in:
Can my schools delay these changes?
No, you cannot delay these changes later than March 5th.
Can I implement these changes earlier than March 5th?
You can implement these changes early on a date that better suits your school's needs. A Platform Manager can use the following steps to make the necessary changes which will take effect upon saving:
1. Core > Settings > Security > Password Parameters
2. Select the All School (All Users) role > Set Parameter
3. Select parameters that meet (or exceed) the minimum requirements that will be enforced on March 5th. Set Length to a minimum of 8, Numbers to a minimum of 1, and Password Reuse to a minimum of 3.
4. Save. Your changes will take effect immediately upon saving. This means any user with a password not meeting the criteria will be prompted to reset their password the next time they log in.
Why are we making these changes?
The security of student data and avoiding breaches is of the utmost importance and we determined these changes were necessary after reviewing our security policies and password protocols.
What if my school uses LDAP or an integration with External Authentication?
The password policy for users in LDAP/External Authentication enabled roles will continue to come from LDAP/External Authentication and these users will not be affected by the new password requirements.
Can passwords still be set to never expire?
Yes. The new password requirements do not include a requirement for having passwords expire. Just leave the Frequency of Change option in Password Parameters set to 0 or blank and passwords will not expire.
Can Blackbaud provide a report of the users who will need to change their passwords?
No. Passwords are encrypted and Blackbaud cannot decrypt them to determine which users do not meet the minimum requirements.