<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:353767732;
mso-list-template-ids:1579572128;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:●;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:▪;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:●;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:▪;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:●;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:▪;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ascii-font-family:Arial;
mso-fareast-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Good afternoon!<o:p></o:p></p>
<p class="MsoNormal">Some of you may be aware that there have been issues this week associated with ProgressBook passwords and their associated security policies. This week we made a change to our Windows Active Directory account policies that had unexpected
and undocumented effects on ProgressBook. One of the unexpected outcomes was that a password expiry policy caused a large number of passwords to expire at the same time. Simultaneously servers began enforcing a policy associated with remembering previous
passwords. For some users that had cached passwords being remembered and applied by their computing device, all of this meant that their password expired while their computers kept trying to apply the expired passwords. This caused the account to lock for
30 minutes.<o:p></o:p></p>
<p class="MsoNormal">We are diligently working to resolve this issue for users on a case by case basis. Clearing saved passwords from browsers generally clears the problem, but some users may need additional help. Please contact MVECA through your regular
support channels if you need assistance recovering a user account.<o:p></o:p></p>
<p class="MsoNormal">It is incredibly important to note that MVECA’s approach to cyber security has been undergoing significant changes. We will continue to implement security measures to ensure safe computing environments and are adopting broad security policies
that will continue to have impacts on the way you interact with all types of data repositories and network resources. For those that will continue to wish for a more carefree time - when passwords didn’t expire, didn’t require special characters, didn’t have
a minimum length, and could be saved in your browser cache indefinitely – all I can say is that I’m sorry. It simply cannot be that way anymore.<o:p></o:p></p>
<p class="MsoNormal">MVECA is currently in the process of adopting NIST (National Institute of Standards and Technology) Framework as defined their 800-53 publication (<a href="https://nvd.nist.gov/800-53/Rev4">https://nvd.nist.gov/800-53/Rev4</a>). We will
do everything we can to keep you informed about these changes and to advise district of the associated impacts. Below is a list of authentication control functions associated with our NIST framework adoption that we will be implementing in the coming weeks.
In the near future, we believe that districts will also be compelled to implement these same sorts of changes along with many others. (For more information on why all public agencies will be compelled to implement cyber security standards, go here:
<a href="http://codes.ohio.gov/orc/1354">http://codes.ohio.gov/orc/1354</a>). MVECA is currently organizing security events geared toward helping schools locally adopt NIST standards that will negate a great deal of liability and risk. Stay tuned for more
information on those events.<o:p></o:p></p>
<p class="MsoNormal">Please feel free to contact me directly for more information.<o:p></o:p></p>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
<p class="MsoNormal">Thor<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thor Sage<o:p></o:p></p>
<p class="MsoNormal">Executive Director<o:p></o:p></p>
<p class="MsoNormal">Miami Valley Educational Computer Association<o:p></o:p></p>
<p class="MsoNormal">937-767-1468 x3101<o:p></o:p></p>
<p class="MsoNormal"><a href="http://www.mveca.org/"><span style="color:windowtext;text-decoration:none"><img border="0" width="174" height="64" style="width:1.8125in;height:.6666in" id="Picture_x0020_1" src="cid:image001.jpg@01D590CE.3C115810" alt="http://www.mveca.org/images/logo.gif"></span></a>
<a href="https://www.linkedin.com/company-beta/3947840/"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1027" src="cid:image002.jpg@01D590CE.3C115810" alt="i"></span></a><a href="https://twitter.com/mvecarcog"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_2" src="cid:image003.jpg@01D590CE.3C115810" alt="t"></span></a><a href="https://www.facebook.com/MVECA-707401659416692/"><span style="color:windowtext;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_3" src="cid:image004.jpg@01D590CE.3C115810" alt="f"></span></a><o:p></o:p></p>
<p class="MsoNormal"><i>Not-for-profit Technology Services for Education and Local Governments<o:p></o:p></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;line-height:16.5pt">
<span lang="EN">Control functions for single-factor password-based authentication:<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;line-height:16.5pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN" style="font-family:"Arial",sans-serif"><span style="mso-list:Ignore">●<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN">Allow at least 12 characters in length to support the use of passphrases, copy and paste. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (inducing spaces), thus
aiding memorization.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;line-height:16.5pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN" style="font-family:"Arial",sans-serif"><span style="mso-list:Ignore">●<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN">Require memorized secrets be changed periodically (180 days) unless there is a user request or evidence of compromise.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;line-height:16.5pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN" style="font-family:"Arial",sans-serif"><span style="mso-list:Ignore">●<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN">Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;line-height:16.5pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN" style="font-size:11.5pt;font-family:"Arial",sans-serif"><span style="mso-list:Ignore">●<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-size:11.5pt">Forbid commonly used passwords: The standards require every new password be checked against a “blacklist” that can include repetitive words, sequential strings, variations on the website
name and passwords taken in prior security breaches. (haveibeenpwned.com/passwords has expanded their offering to include a pwned password section for users
</span><a href="https://haveibeenpwned.com/passwords"><span lang="EN" style="font-size:11.5pt;color:windowtext">to check if a password has been exposed</span></a><span lang="EN" style="font-size:11.5pt"> in a data breach)</span><span lang="EN" style="font-size:11.5pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;line-height:16.5pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN" style="font-size:11.5pt;font-family:"Arial",sans-serif"><span style="mso-list:Ignore">●<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-size:11.5pt">Don’t use knowledge-based authentication or password hints: Allowing a user to answer a personal question such as “What high school did you attend” to reset passwords is now forbidden,
as the answers to these questions and hints can be easily found via social media or social engineering.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in;text-indent:-.25in;line-height:16.5pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN" style="font-size:11.5pt;font-family:"Arial",sans-serif"><span style="mso-list:Ignore">●<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-size:11.5pt">Limit the number of password attempts to 5: There is a large difference between the number of guesses even the most typo-prone user needs and the number of guesses an attacker needs.<o:p></o:p></span></p>
<p class="MsoNormalCxSpMiddle" style="margin-left:.5in;mso-add-space:auto;text-indent:-.25in;line-height:106%;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:"Arial",sans-serif;color:black"><span style="mso-list:Ignore">●<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Stores and transmits only encrypted representations of passwords.
<span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormalCxSpMiddle" style="margin-left:.5in;mso-add-space:auto;text-indent:-.25in;line-height:106%;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:"Arial",sans-serif"><span style="mso-list:Ignore">●<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Prohibits password reuse for 5 generations. <o:p></o:p></p>
<p class="MsoNormalCxSpMiddle" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:8.0pt;margin-left:.5in;mso-add-space:auto;text-indent:-.25in;line-height:106%;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:"Arial",sans-serif"><span style="mso-list:Ignore">●<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Allows the use of a temporary password for system logons with an immediate change to a permanent password.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>