Security > Configure Password Requirements


Several options are available for non-hosted districts when configuring password requirements for Aeries users. Districts can set requirements that will force certain user types to change their password on a regular basis and set strong passwords.

The Configure Password Requirements settings cannot be updated by Aeries hosted districts. A certain level of password requirements are enforced by default. To change the default requirements for a hosted district, submit a support ticket.

Aeries software includes a daily automatic password hashing process. Hashing is a function that converts passwords to character strings that are difficult to reverse, ensuring that passwords are protected.

IMPORTANT: Districts are strongly encouraged to follow NIST guidelines and incorporate best practices. See Best Practices for Aeries Passwords.



Prerequisites

  • Admin permission is required to configure passwords and add or update banned passwords.


Steps


  Configure password requirements


Non-hosted districts can configure password requirements by user type.

Any selected requirements, such as special or numeric characters or case, will be listed for users anytime they change their password.

NOTE:  The Aeries Admin user type is not bound by these password restrictions.


  1. Click Edit. The fields are enabled.

    Group to Apply Settings To

    The account types that the password requirements are applied to

    • Teachers - Requirements will apply to both teacher and substitute teacher accounts
    • Parents and Students - Requirements will apply to parent and student portal accounts
    • All Others - Requirements will apply to all other non-admin Aeries user accounts


    Requirements should be set for each group.

    Enforce Password Rules for this Group
    • If selected, the password requirements are enabled for the specified group.
    • If un-selected, the password requirements are not enforced for the specified group.
    Force Users to Change Passwords Every...The number of days, weeks, or months that can elapse before the user is required to change their password

    Enter the number and select day, weeks, or months.

    Hover over Note to view a notice. Any user with a blank Password Last Changed value will be required to change their password upon the next login if this setting is enabled.


    NOTE: Current NIST password guidelines recommend eliminating periodic password changes. See Best Practices for Aeries Passwords.
    Days Prior to Expiration to Notify UsersProvides a warning to users a certain number of days before their password expires, and a link to the Change Password page.

    If blank, no warning message will appear.

    Minimum LengthThe minimum number of characters a password must contain

    If 0, the password can contain any number of characters.

    NOTE: Current NIST password guidelines recommend choosing longer passwords (passphrases) over complex passwords. See Best Practices for Aeries Passwords.
    Require Special Character
    • If selected, passwords must contain at least one non-alphanumeric character (e.g., * & % $ # @).
    • If un-selected, passwords can contain only alphanumeric characters.

    NOTE: Current NIST password guidelines recommend avoiding complex passwords and strict composition rules. See Best Practices for Aeries Passwords.

    Require Letters and Numbers
    • If selected, passwords must contain at least one letter and one number.
    • If un-selected, passwords can contain either all letters or all numbers.


    NOTE: Current NIST password guidelines recommend avoiding complex passwords and strict composition rules. See Best Practices for Aeries Passwords.

    Require Upper and Lower Case
    • If selected, passwords must contain at least 1 uppercase letter and at least 1 lowercase letter.
    • If un-selected, passwords can contain either all uppercase or all lowercase letters.


    NOTE: Current NIST password guidelines recommend avoiding complex passwords and strict composition rules. See Best Practices for Aeries Passwords.

    New must be significantly different than old
    • If selected, the new password must be significantly different than the existing password.
    • If un-selected, the new password can be the same or similar to the existing password.


    NOTE: Current NIST password guidelines recommend checking all passwords against a list of commonly used, expected, or compromised passwords. See Best Practices for Aeries Passwords.


  2. Click Save.

    If Enforce Password Rules for this Group is selected, the password requirements are enforced.

    Any Aeries accounts created prior to selecting this option are forced to change their password upon their next log in.


  3. Once saved, when a user password has expired or must be changed, the user is prompted to change their password upon logging in.


    All password rules are listed. 

    The user cannot access any Aeries page until they successfully change their password.


back to top




  Ban certain passwords


Districts can prevent users from setting their password to certain words.

  • If a user attempts to set the password to a banned password, a message will notify the user that the password cannot be used and that they must enter a different password.

  • If a user password is currently set to a newly added banned password, the user will be forced to change their password upon their next login.


Certain Aeries passwords are always considers invalid or temporary:

  • "welcome"
  • "changeme"
  • "admin"
  • any password that matches the username


If a user logs in with one of these passwords, the user is forced to change it upon their next login.




  1. Under Banned Passwords, any existing passwords are listed.
  2. Click Add in the Banned Passwords banner.

    A row is added.
    PasswordType the banned password
    Disabled
    • If selected, the ban will be enforced when saved
    • If un-selected, the ban is not enforced for the password

  3. Click the Save icon.


back to top



  Un-ban a password


  1. Under Banned Passwords, click the Edit icon for the password you wish to un-ban.
  2. Click the Delete icon.

    You are prompted to confirm that you wish to delete the banned password. Click Yes.



  Trigger password hashing


Aeries software includes a daily automatic password hashing process. Hashing is a function that converts passwords to character strings that are difficult to reverse, ensuring that passwords have greater protection.

Admin users are reminded to run the Users with Invalid Passwords report regularly. A reminder message is displayed on the Aeries Home page for admin users. See below.


  1. Hashing is triggered each day be the first user that logs into the database, regardless of user account type.

    A Long Running Process (LRP) runs which hashes all plain-text passwords in the database from the UGN or PWA accounts, including admin, users, teachers, parent, and student accounts. The process checks for any accounts that do not have password hashing applied. The LRP runs anonymously; no email notification is sent when the process is completed.

    NOTE: Plain-text passwords are not created by Aeries but can be imported into SQL.

  2. During the process, the following occurs:
    • All UGN and PWA records are analyzed to determine if plain-text passwords exist.

      Plain-text passwords are identified by the HashType field (UGN.HT = -1 or PWA.HT = -1).

    • All plain-text passwords are hashed during this process, and the HashType (HT) field is updated.

      NOTE: Active Directory/LDAP accounts are skipped for UGN (e.g., User Type (UTY) field = 'adadmin', 'aduser', 'adteacher', 'adteachersub).


  Locate invalid passwords and force a password change


Reports > Users with Invalid Passwords


The Users with Invalid Passwords Report allows admin users to view a list of usernames with an invalid password, including passwords banned by the district, passwords that do not follow current rules and settings, passwords used by multiple users, and any passwords that Aeries prevents by default.


Admin users are reminded to run the Users with Invalid Passwords report regularly. A message is displayed on the Aeries Home page for admin users.


NOTE: Only the default database is used for security. If the report is run on a different database, it is possible that the current passwords are different. The default database contains the most up-to-date password.


A reminder message is displayed on the Aeries Home page for admin users.



  1. It is recommended that Report Delivery be set to Email w/ Link, due to the complexity and time needed to run the report.

     

  2. By default the report includes teachers and other users.

    Select Include Student and Parent Accounts to include those accounts as well.


  3. Click Run Report.
    • The completion status can be monitored on View All Reports on the Report History tab.
    • Once the report is run: 
      • If records appear on the report that need to be fixed, the admin reminder message is suppressed for 30 days. 
      • If no records appear on the report ("No Information to Print" message), the admin reminder message is suppressed for 90 days. 
      • If the report is not run again during this time period, the admin reminder message appears again.



Tables


TableDescription
Banned passwords (BPW)Stores banned passwords
User and Group Names (UGN)Stores user and group name data
Parent Web Accounts (PWA)Stores parent account data


back to top