Passwords that Force a Change
There are certain passwords that Aeries always considers invalid or temporary. If a user logs in with one of these passwords, they will be forced to change it.
- "welcome" and "changeme" are temporary passwords that an administrator may set for a user.
- The password may not be the same as the username.
- The password may not be "admin".
- Aeries has compiled a list of commonly used passwords using data published by outside sources. If the user attempts to use a password on this list, they will get a warning message: "Please select a more unique password."
When an Aeries database administrator logs into the AdminCS (Client) application, a macro is available named Check Users for Invalid Passwords. Running this macro will scan for Aeries users whose passwords are invalid based on the criteria described above. After the macro runs, the list of user names will display. Also, this scan will automatically run as part of the "Updating your SQL database..." or Force An Update process. In addition to the criteria above, this macro will also find users with a password that is too common within that database. In other words, if several of your users all have the same password, those users will be in the list even though that password is not in Aeries' regular list of common passwords.
NOTE: If the Check Users for Invalid Passwords macro is run on a database other than the Default database configured in the Aeries connections config file, the results may be misleading. Only the Default database is used for security, so it is possible that the users' current passwords are different. Therefore, the results are most useful when the process is run against the Default database.
Configure Password Requirements
Aeries User, Teacher, and Parent and Student Portal accounts can have password requirements configured. Setting up these password requirements will force that User Type to update their password on a regular basis. The Aeries Admin user type is not bound by these password restrictions.
To update the password requirements for non-Admin users, navigate to the Configure Password Requirements page. It can be found under Security on the navigation menu.
The Configure Password Requirements page will display.
Click the Edit button to update the options on the Configure Password Requirements page. The following options are available:
Group To Apply Settings To – Select the user type to apply the password requirements to. The Teachers group covers both Teacher and Substitute Teacher accounts, the Parents and Students group covers Parent and Student Portal accounts, and the All Others group covers all other non-Admin Aeries user accounts.
Enforce Password Rules for this Group – Use this option to turn on the password requirements for the group selected.
Force users to Change Passwords Every… – Enter how often the users need to change their password.
View Note -
Days Prior to Expiration to Notify Users - This option is used to give the users a warning message that their password will expire several days prior to the expiration.
Minimum Length - use this option to define the minimum character length of the password.
Require Special Character - requires that at least one non alpha-numeric character is used in the password. For example, * & % $ # @
Require Letters and Numbers - requires that at least one letter and one number are used in the password.
Require Upper and Lower Case - requires that both upper and lower case letters are used in the password.
New must be significantly different than old - requires that the new password be significantly different than the existing password
Click the Save button to save the changes to this page.
NOTE: When Enforce Password Rules for this Group is first turned on, any Aeries accounts that were created prior to selecting this option will be forced to update their password on their next log-in.
After the Configure Password Requirements page has been set up, when a user logs in whose password has expired, the Change Your Aeries Password form will display.
A listing of the password rules will display to the left of the Change Your Aeries Password form. A red message will also be highlighted at the top of the form indicating that the password needs to be changed. The user will not be able to access any other page until they change their password.
After the password has been changed, a message will display that the password change was successful.
If the option to notify the user that the password is about to expire is turned on, then for the defined number of days before the password expires, the user will see a red message warning them to change their password above every page along with a link to quickly navigate to the Change Password form.
Banned Passwords
The Banned Passwords part of the Configure Password Requirements page allows Admin only users the ability to
configure specific passwords that will be disallowed when a user changes their password. This will force a change if a user currently has one of the banned passwords. Custom banned passwords can be added. These banned passwords are stored in the Banned passwords (BPW) table.
All active (not Disabled) records in the Banned Passwords (BPW) table are treated the same as the existing hard coded banned passwords.
If the "Disabled?" option is checked next to a banned password, that password will no longer be banned.
NOTE: Aeries Hosted customers have a certain level of password requirements by default. Only Aeries Support can update the Configure Password Requirements page for hosted customers. If you wish to have stricter requirements than the default level, please submit a support ticket.