9 Replies Latest reply on Apr 17, 2017 5:20 AM by Alberto Ruiz

    password change in first login

    av25474

      Hi all,

       

      In our institution we have two kinds of users, in relation with their authetication method. For those users that use the "Learn default" authentication, we would like to force them, to change their passwords in the first login to Blackboard, due to security reasons. Anyone else have a similar issue?

       

      We are trying to add this functionality in the login page (webapps/login/login.jsp), catching the user_id and password before it is send to the platform, and, trying to check some points: Validate user/password using our code, and if they are correct, check the user.getLastLoginDate() . But we are stuck in the first point

      There is a user.getPassword() method that returns a string like this:

      {SSHA}HmacSHA512:SHA-512:3000:aZSbcYNpD9nbP/WbKLaY/ERyQq5PRarG+y7q7CoM/o7UNMCDHUbgEH+AOSTPwyjXONsZYqJRq3B6MBvknw+UMg==:06iYIyAzgXNmidlpZ/cYzjwyBDzuJT2ZZkprh78KPSAxTk0Il2cvEl0cF2SuELUnIQ9puXC2k/F0l71/GbApng==

       

      Is there a method to generate this string using the "password" field introduced by the user. Our idea is compare both strings and if they matches, go ahead with the next steps..

       

      Or, maybe is there other method totally different, in order to force a user to change his password?

       

       

      Regards,

      Alberto Campos

        • Re: password change in first login
          Alberto Ruiz

          I have not tested, but with this hash something like this must work:

           

          String password = "Your Password";
          String saltingAlgorithm = "HmacSHA512";
          String hashingAlgorithm = "SHA-512";
          String textSalt = "aZSbcYNpD9nbP/WbKLaY/ERyQq5PRarG+y7q7CoM/o7UNMCDHUbgEH+AOSTPwyjXONsZYqJRq3B6MBvknw+UMg==";
          int iterations = 3000;
          
          
          KeyGenerator generator = KeyGenerator.getInstance(saltingAlgorithm);
          generator.init(new SecureRandom());
          
          
          MessageDigest messageDigest = MessageDigest.getInstance(hashingAlgorithm);
          
          
          byte[] salt = Base64Codec.decodeString(textSalt);;
          
          
          String saltedPassword = Base64Codec.encode(salt) + password;
          
          
          byte[] hash = messageDigest.digest(saltedPassword.getBytes("UTF-8"));
          for (int i = 0; i < this._iterations; i++)
          {
            messageDigest.update(hash);
            hash = messageDigest.digest(hash);
          }
          
          
          
          

           

          The used classes are:

           

          import blackboard.util.Base64Codec;
          import java.security.MessageDigest;
          import java.security.SecureRandom;
          import javax.crypto.KeyGenerator;
          import javax.crypto.SecretKey;
          

           

          Hope this helps.

           

          EDITED

           

          Sorry I forget the final step, you hace to compare the generated hash with the stored one:

          Base64Codec.decodeString("06iYIyAzgXNmidlpZ/cYzjwyBDzuJT2ZZkprh78KPSAxTk0Il2cvEl0cF2SuELUnIQ9puXC2k/F0l71/GbApng==")
          
          2 of 2 people found this helpful
          • Re: password change in first login
            jkelley_blackboard

            This is an excellent, creative approach and  I will be sure to refer folks to it who are interested.

             

            A the risk of being perceived as a troll for Bb Consulting, we do offer a (paid) solution for managing passwords in Blackboard.  It includes most of the features you would expect - enforced password length and complexity, first login change, password expiration and warnings.  If you want more info, feel free to reach out to me (jeff.kelley@blackboard.com) or your Blackboard Account Executive - ask about the Blackboard Consulting Password Manager.

             

            Note also that the Learn Product Managers have these features under investigation as future enhancements to the product.

            3 of 3 people found this helpful
              • Re: password change in first login
                chris.bray

                Having this built into the core product would be great.  Stephanie Tan mentioned that it was on the roadmap during DevCon 2013 (or 2012), and I've been waiting patiently for it.

                 

                On my own systems, any campus users have their passwords managed in our directory, with expirations and all the bells and whistles.

                Blackboard internal users, which can be 'students' in professional development or training courses, have been migrated to a separate LDAP OU for "special users". Our password management system is being updated to allow for these users to have password expiration and reset (email / SMS).

                2 of 2 people found this helpful
              • Re: password change in first login
                nw0054391

                Hi all,

                 

                My institution is also looking for ways to make user reset password upon first login. The solution above is to add this functionality in the login page (webapps/login/login.jsp) which requires amendment to login.jsp. Is it possible to use a building block to alter the login flow? What should be the entry point of the building block?

                 

                I am asking this because we are using managed hosting and we don't have access to login.jsp.