[Tech-l] ProgressBook Password Policy and Associated Issues

[Thor Sage]

Good afternoon!
Some of you may be aware that there have been issues this week associated with ProgressBook passwords and their associated security policies.  This week we made a change to our Windows Active Directory account policies that had unexpected and undocumented effects on ProgressBook.  One of the unexpected outcomes was that a password expiry policy caused a large number of passwords to expire at the same time.  Simultaneously servers began enforcing a policy associated with remembering previous passwords.  For some users that had cached passwords being remembered and applied by their computing device, all of this meant that their password expired while their computers kept trying to apply the expired passwords.  This caused the account to lock for 30 minutes.
We are diligently working to resolve this issue for users on a case by case basis.  Clearing saved passwords from browsers generally clears the problem, but some users may need additional help.  Please contact MVECA through your regular support channels if you need assistance recovering a user account.
It is incredibly important to note that MVECA’s approach to cyber security has been undergoing significant changes.  We will continue to implement security measures to ensure safe computing environments and are adopting broad security policies that will continue to have impacts on the way you interact with all types of data repositories and network resources.  For those that will continue to wish for a more carefree time - when passwords didn’t expire, didn’t require special characters, didn’t have a minimum length, and could be saved in your browser cache indefinitely – all I can say is that I’m sorry.  It simply cannot be that way anymore.
MVECA is currently in the process of adopting NIST (National Institute of Standards and Technology) Framework as defined their 800-53 publication (https://nvd.nist.gov/800-53/Rev4).  We will do everything we can to keep you informed about these changes and to advise district of the associated impacts.  Below is a list of authentication control functions associated with our NIST framework adoption that we will be implementing in the coming weeks.  In the near future, we believe that districts will also be compelled to implement these same sorts of changes along with many others.  (For more information on why all public agencies will be compelled to implement cyber security standards, go here: http://codes.ohio.gov/orc/1354).  MVECA is currently organizing security events geared toward helping schools locally adopt NIST standards that will negate a great deal of liability and risk.  Stay tuned for more information on those events.
Please feel free to contact me directly for more information.
Thank you,
Thor

Thor Sage
Executive Director
Miami Valley Educational Computer Association
937-767-1468  x3101
[http://www.mveca.org/images/logo.gif]<http://www.mveca.org/>       [i] <https://www.linkedin.com/company-beta/3947840/> [t] <https://twitter.com/mvecarcog> [f] <https://www.facebook.com/MVECA-707401659416692/>
Not-for-profit Technology Services for Education and Local Governments


Control functions for single-factor password-based authentication:
●     Allow at least 12 characters in length to support the use of passphrases, copy and paste. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (inducing spaces), thus aiding memorization.
●     Require memorized secrets be changed periodically (180 days) unless there is a user request or evidence of compromise.
●     Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.
●     Forbid commonly used passwords: The standards require every new password be checked against a “blacklist” that can include repetitive words, sequential strings, variations on the website name and passwords taken in prior security breaches. (haveibeenpwned.com/passwords has expanded their offering to include a pwned password section for users to check if a password has been exposed<https://haveibeenpwned.com/passwords> in a data breach)
●     ‍Don’t use knowledge-based authentication or password hints: Allowing a user to answer a personal question such as “What high school did you attend” to reset passwords is now forbidden, as the answers to these questions and hints can be easily found via social media or social engineering.
●     ‍Limit the number of password attempts to 5: There is a large difference between the number of guesses even the most typo-prone user needs and the number of guesses an attacker needs.

●     Stores and transmits only encrypted representations of passwords.

●     Prohibits password reuse for 5 generations.

●     Allows the use of a temporary password for system logons with an immediate change to a permanent password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20191101/b5229607/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3184 bytes
Desc: image001.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20191101/b5229607/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 1229 bytes
Desc: image002.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20191101/b5229607/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1197 bytes
Desc: image003.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20191101/b5229607/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 1194 bytes
Desc: image004.jpg
URL: <http://listserv.mveca.org/pipermail/tech-l/attachments/20191101/b5229607/attachment-0003.jpg>