Default Password Management

Cornerstone is moving the management of the portal wide default password from a backend setting to the Password Preferences page that is visible in all portals and accessible by administrators with the existing Password Preferences - Manage permission.

With this enhancement, a new Default Password Management tab will be visible on the existing Password Preferences page. Here, administrators can set a portal-wide default password, change the default password, and manage default password rules such as lifespan and expiration date. Furthermore, default passwords must comply with the password complexity rules defined on the General tab in Password Preferences. The Default Password Management feature is compatible with all interfaces involving user creation. The default password set in Default Password Management is applicable for any new user that is created. Administrators can use the Default Password Email Reminder Template in Email Administration to setup email reminders to be notified prior to default password expiration.

This enhancement places default password management in the hands of customers for greater control and oversight of this critical security asset. If using Data Load Wizard (DLW), See Data Load Wizard - User Loads: Default Password Setting Enhancement.

How Does this Enhancement Benefit My Organization?

This enhancement provides improved password security, which makes it easier to comply with an organization’s security protocols and standards.

Use Cases

Mary, who is a System Administrator, would like to be able to secure her portal by rotating default passwords used every 120 days. Today, she has to call Cornerstone Support and open a case to update the password and go through a lot of steps to accomplish this. With this feature, Cornerstone is surfacing the portal-wide default password management feature in the hands of the customer administrator, allowing for greater accessibility and improved security of the customer portal.

Resources

Implementation

Customers that do not currently have a default password stored in the existing default password backend setting should submit a case to Global Customer Support if they would like to begin using the new default password functionality.

For customers that currently have a default password stored in the existing default password backend setting, this functionality is on by default in stage environments. There will be a phased rollout for production and pilot environments.

Rollout Schedule by Swimlane

Swimlane Date Default Lifespan Setting
All stage swimlanes April 20 (Start of UAT) 90 Days
All pilot swimlanes May 13 (May '22 Release) 90 Days

CDG SL1

CDG SL4

FRA SL1

FRA SL4

LAX SL1

LHR SL1

May 13 (May '22 Release) 90 Days

AU swimlanes

JP swimlanes

LAX SL2

LAX SL5

LHR SL2

May 27 Patch 180 Days

All swimlanes. This includes:

  • All remaining swimlanes (LAX SL3, LAX SL4, LHR SL3
  • All swimlanes previously migrated (portal that have already been migrated will be skipped)
June 10 Patch 180 Days

Rollout Implications

For the initial rollout, a default lifespan is set for the default password. Please review the Rollout Schedule by Swimlane section to view the default lifespan for your swimlane.

The default password and lifespan settings are relevant to qualified default password users and may impact the login experience. Users may receive error messages during their login process for the following related scenarios:

  • The default password has expired before the user attempts to log in using the password. This scenario may occur if the user is matched with a default password that is older than the number of days defined in the lifespan of the default password preference.
  • The user account setup with the default password has been disabled due to 90 days of inactivity. This scenario may occur if the user has not logged in for more than 90 days after setting the default password.

The above scenarios are only relevant to default passwords; there are no changes to existing functionality for custom passwords and lifespans applied to custom passwords are not impacted.

Based on the customer feedback, the default lifespan setting applied to portals as part of the May 27th and June 10th patch rollouts is changed to 180 days. The intention is to limit the number of potentially impacted users and related administration workload. Due to security reasons, it is highly recommended to adjust the default password lifespan setting as soon as possible and apply the lowest possible number of days.

Permissions

The following existing permission applies to this functionality:

PERMISSION NAME PERMISSION DESCRIPTION CATEGORY
Password Preferences - Manage Grants ability to manage Password Preferences, which includes specifying the settings for users to change their own password, or for the system to generate an anonymous password, set the specific password requirements and allowing users to reset password by answering security questions. This permission can be constrained by OU and User's OU. This is an administrator permission. Core Administration