Why are PowerSchool passwords so complex?

linercapr
New Member

Why are PowerSchool passwords so complex?

Why does PowerSchool need a password so complex that needs to be changed every few months?? Is this a school based decision? At present I am just missing the launch keys to be synchronously turned to give me access to grades. It is getting so bad that I saw 3 teachers have their password written on a post it note on their computer!

2 Replies
JeffG9
PowerSchool Champion
PowerSchool Champion

Here is what PowerSchool has to say, in the 23.2 Release Notes:

 

 

As part of PowerSchool's ongoing commitment to the security of the PowerSchool products, the following improvements have been made as part of this release. These changes and future changes announced below apply to users authenticating to PowerSchool SIS as an Identity Provider (IdP) and do not apply to users authenticating to LDAP, SAML, OIDC, or Unified User.

  • Users will be prompted to change their password if the password does not meet the complexity requirements defined in Password Rules Management.
  • Users will be prompted to change their password if the password is a well-known password.
  • The Account Lockout Rule defined in Password Rules Management can no longer be disabled. If this was previously disabled, a value of 0, the value will be updated to 20.
  • Password Rules Management and Student Password Management will only show settings for the user types where PowerSchool is the IdP.
  • Administrator-defined passwords in the PCAS table will be converted to a hash as part of the upgrade. User-entered passwords were always stored in the PCAS tables as a hashed value.

     

     

    Depending on the number of PCAS_Account records this process will increase the upgrade time of PowerSchool SIS. The process takes approximately 16 minutes per 4k accounts that have an Admin set password.

    Large districts with 100k or more Students that uses an external IdP for Admin, Teachers, and/or Parents may see an upgrade time of 12+ hours while the encrypted values are changed to a hashed value.

    Upcoming PowerSchool SIS Changes:

    The following functions will be changed or removed in the PowerSchool SIS 23.5.0.0 (Back to School) release. The changes below do not impact Quick Import or AutoComm.

    • The Mass Assign ID/Password function will no longer set the Students.Student_Web_Password field.
    • The Students.Student_Web_Password field will be removed from available fields from the Student Field Value and DDA Mass Modify functions.
    • The Teachers.Password and Teachers.TeacherLoginPW will be removed from available fields from the Teacher Field Value and DDA Mass Modify functions.
    • The Students.Student_Web_Password field will no longer be exportable or available on reports.
    • Temporary Passwords, those that are Administrator set or imported, will be validated that they meet the Password Complexity rules and are not a well-known passwords.
    • When PowerSchool is the Identity Provider (IdP), Students at or above grade 9 will be required to change their passwords if their password was set by an Administrator or imported. Districts will be able to change this setting to be a lower grade level if desired.

      To help facilitate these changes, PowerSchool will also be making Student password workflow improvements, such as the ability for Teachers to reset Student passwords when PowerSchool SIS is the Identity Provider (IdP).

______________
Full Disclosure: I do not work for PowerSchool
psutulovich
Journeyman

I am not a fan at all of this password change.  I am not finding any consistency in what is happening.  In spot checking, I have some student who can login with their original 5 character password.  Then I have others that get a message to change their password.  If I import passwords such as for lower grades, they can't change them.  Not to mention, is the only way to get kiddos their passwords via imports or one by one?  Not a happy camper right now with this.  Am I missing something???