Scoutbook Increases Personal Data Security

I'm glad to see BSA and Scoutbook is taking data security seriously. Thank you for making this change.

I would recommend adding friendly two-factor authentication option as well... I'm personally very fond of Duo Security: https://duo.com/ There are several other options out there as well (Google, etc). Thanks for being security-minded with our information!

http://itroadmap.scouting.org/

An excellent first step in making our data more secure. But, it's important to remind people HOW to create strong passwords. You can find one such discussion here, but there are others as well. Just search on How to Create Strong Passwords. http://www.pcmag.com/article2/0,2817,2368484,00.asp
Keep up the great work SB Team!

First

Thank you for making this change and making data security a priority. I would also like to echo the feedback that Eric Thomas provided and ask for some additional security for authentication including two factor authentication using Google Authenticator or Duo as well as a feature that would automatically logout a user after 1 or 2 hours of inactivity. This feature would ensure that individuals who forget to log out of their account on a shared computer do not inadvertently allow someone else to have access to Scout information.

Kevin, Scoutbook already automatically logs users out after 30 minutes.

Yay. I'm looking forward to y'all working on the hundreds of problems people are actually complaining about. Like REPORTING or lack thereof.

Frank - it has been noted on the IT roadmap that reporting is being reworked in 2017. One thing I can say is that there are other providers out there that offer the reporting and other features that you are after, but they have had the time to build up to that. We all realize that there is a long way to go to make this an outstanding product. Admittedly, nobody was asking for security changes, but that was a BSA decision. The database sync will actually remove major issues for a number of user with regard to roster import/true-up and advancement tracking. There are many posts concerning those items which is the real heart of scoutbook. So, that being said, the need for reporting is well known, has been heard and will be addressed.

In addition to being a scout leader, I am a fourth grade teacher in a public school. I tell all of my students, their parents, and my colleagues that my number one responsibility is to make sure my students are safe. Nothing else is more important. I think this applies to the BSA and ScoutBook also. As the BSA is moving toward using this as the official application/software/tool for all things Scouting, safety comes first. Then they will start working on all of the hundreds of thousands of feature requests that have been suggested. And hey, if someone happens to have the skills and knowledge and willingness to volunteer, I'm sure they would it if that person offered to help with the process!

I appreciate app secutiry, however, Scoutbook is no longer truly mobile friendly. I can't switch back and forth between Scoutbook and other apps easily anymore. In trying to use during Sign Up Night, it was horrible. Every time I would change to another app, Square to take payments, calendar to check on something, messages, etc. I had to log back into Scoutbook every time I came back and start over getting back to where I was. It would be nice to be able to stay logged in for a period of time. Even without a registration night, my Scoutbook use always included switching back and forth between apps.

Jennifer, it sounds like you have set Scoutbook up as a Web App on an iOS device. The reason you have to log in each time you return to Scoutbook is due to the way Apple implemented Web Apps, not the way Scoutbook implemented the 30 minute timeout. Unfortunately, Apple clears the information Scoutbook needs to know your last login time each time you leave any web app. Our recommendation is to use Scoutbook directly in Safari instead of as a web app in order to be able to switch back and forth between different apps and Scoutbook.

HOW THE LATEST SCOUTBOOK UPDATE CONNECTS COUNCILS & UNITS
http://scoutingwire.org/latest-scoutbook-update-connects-councils-units/

I'd like to point out that this move may be a little off, the industry has more and more realized that composition rules like requiring special characters tend to not improve security, people just stick a 1 or ! or whatever at the end and call it done. And pure knowledge-based authentication is always vulnerable. NIST's current recommendations are talked about here: https://www.iansresearch.com/insights/blog/blog-insights/2016/08/24/ians-faculty-break-down-nist-s-proposed-new-password-guidelines

But, those recommendations basically boil down to:
Make sure passwords aren't common passwords or dictionary words (there are plenty of lists out there to check from previous breaches).
Encourage long passwords (8 characters minimum), and allow special characters but don't require them.
Implement two-factor authentication.

I understand the desire to provide increased security, and agree in principle. However, as @Chris Franklin pointed out above, this does little to nothing for security. It also just makes passwords harder for legitimate users to remember. For a quick primer on the difficulty of cracking passwords, please review the following guide. It should take literally less than five minutes:

https://xkcd.com/936/

I have to agree on the 2FA (2 factor authentication) where a code is sent to your cell phone before allowing logins such as Google and Facebook (and many other sites/apps) already offer.
Thank you for the great work you all put into Scoutbook though, good stuff!

While the two factor authentication seems like a direction to go in, let us pause and consider the audience. You have everyone from scouts to scouters, parents to extended family. From the really tech oriented to the how do I work this box. I think the change is sufficient based on the wide spectrum of who is in scoutbook and why.

2FA is great for things that need to be secure like banking info, credit card accts etc....

Here we are talking scouting advancement records. Yes I know names and addresses can be used in Identity theft, but risk vs reward tells me that the tech savvy needed to hack into any website with decent security to get a bunch of names and addresses etc... the reward is way too small to make the risk worthwhile, especially with as small a user base as small as scoutbooks.

Now Target customer lists, that is a hack that was worth something. But scoutbook where more than half the users are way under 18 is not worth the hassle to anyone who is looking to make money.

As one of my Chiefs in the Navy used to say, Locks only keep honest people honest.

Tom, once again, you've taken the words from my mouth. (Keystrokes from my fingertips?) Perhaps you should be in charge! I already hate that I have to log in every time I open the page.

Tom: Scoutbook holds info like youth names, birthdates, school name and physical address -- as well as a calendar with times and locations where these youth can be found in the future. This information is held by scout leaders in what I call a "sacred trust".

These new password requirements are nice, but 2FA is really the future of security. I recommend its implementation.

I can definitely agree with 2FA.

I understand Aaron's concern about the information being a potential for concern, but at the same time, I don't see Scoutbook as the likely path for people to get such information. It's not hard to get schedules for unit meetings from local district executives by posing as a prospective parent who is looking for somewhere to send their son/grandson/daughter/granddaughter. Additionally, many events are easily discovered via calendars made public on Facebook, websites, Google Calendars, Yahoo! groups, and so forth by both units and districts. Many aren't locked down because most units and districts don't expect every member or parent to sign up for an account, and I don't see that changing.

Additionally, things like rear-window stickers like "My child is an honor student at..." or those decals with families represented as minions or Star Wars characters or such are a far more likely route of information and require literally no effort to observe and little effort to track. I'm not saying don't have them, but I am saying that a determined identity thief or predator will find a way to get information in very public ways many people don't think of.

I'm for security, and I hope we all take the appropriate measures to keep our information secure. I just don't want anyone to get so caught up on one route of information transmission that we miss the broader scope of information security.

Apparently complicating the use of Scoutbook is easier than fixing it's problems. Thankfully, they found the time to give us those dandy red slider switches we were all pining for.

Sigh ... no, those don't necessarily make passwords harder to crack.

They do, however, give people an illusion that it's safe because they're inconvenienced.

Jeffrey, the majority of "publicized" password hacks are actually hacking the CREATOR of the Password. So, requiring a password NOT TO BE set by the creator as "mypassword" but rather some combination of the 4 categories makes it more difficult to determine and, therefore, give the valid impression of more security.

This is minimal security. Honestly, if you are just moving to this, then you are really coming out of the dark ages. Do you suspend an account (and for how long) due to XX number of unsuccessful logons? I'm concerned what personal information you have on me and my son given what I've read here.

Is two factor authentication available?

Eric, no.

So, we are doing this, but enabling all users to see all emails by making them cc, not bcc? You are adding security controls in one way and loosening them in another. And by making the emails public (once they are cc, not bcc, they are out there forever), you are sending out the scout emails to adults they don't even know. It makes no sense to me to increase password security at the same time as you do this.

I didn't read all the comments but an 8 character password can be hacked in minutes.

I recommend everyone use a password manager and use minimum 20+ character password that is different than any other password.

I also suggest that scoutbook and the scouts allow multi-factor Authentication through a third party app not SMS.

I deal with protecting against hackers daily and see such requirements bypassed easily and quickly.

After browsing some of the comments there is a risk to reward. All businesses deal with that. The real situation is how the PII data is protected and not necessarily the password. But remember most people use the same password across accounts so getting this password if security is minimal ( don't know all the protections) then it could be used to test other potential logins. Also remember any data on youth can be compiled across breaches ( which happen daily) and used for ID theft. When your child turns 18 they could be in for a surprise. I recommend blocking all credit inquiries allowed to your child. You can lock your or your child's credit.

As an Identity Access Admin working for the state. A good passphrase and two-factor are key parts on protecting your data.

Ed, I am not sure how Jennifer (about a month ago) had her account up in Scoutbook, via web or app, but I run my Scoutbook via Safari on my iPad and have run into the same problem. I can type a short message to send to my Den and by the time I get done with a short three-five sentence wrap, I have to log back in again AND re type the message. After the first time, I learned to copy and paste after the re-login. So how does typing a messgage within Scoutbook constitute inactivity? Still lovin Scoutbook even with this slowdown.

1: You need a 30 minute Lockout Policy for 5 unsuccessful login attempts.

2: If you want to test site security, and have not done so, Look in to a Pentester to check security. I'd be more than happy to run a few of the common security tests for free if you define the scope in writing and contact me :) Like everyone here, I want to make sure my info and my kid's are safe from breaches.

I have a question on the 30 minute timeout. Would it be possible to up that to 1-2 hours (60-120 minutes)? The 30 minute timeout is a nuisance, especially for those of us who tend to get distracted while working in Scoutbook and/or as noted above in this thread, typing a long email. I've had a couple of itineraries "lost" due the 30 minute timeout, and in fact lost my first try at a "comment" in this thread because I took a phone call in the middle of typing it. When I clicked "Post Comment", it just disappeared, so I assume the page was up more than 30 minutes. I've worked in IT since 1996 and to the best of my knowledge, the 30 minute timeout comes from a user study from 1994, that had nothing to do with security. But it has come to be an IT/Web "standard". Our internal corporate research shows breach activity between 31 and 120 minutes (for financial sites) tends to be less than 0.1% (one tenth of one percent) higher than 0-30 minutes and is most cases drops after 30 minutes. The site already runs HTTPS/SSL so the connection is already a step higher than unencrypted connections. And in reality, scout websites have very low breach activity, probably because the personal data of 10 year olds tends to not be very profitable for hit-and-run hackers.

Just my 2 cents worth from someone who would really like to see Scoutbook become the robust site it has the potential to be (and the BSA deserves!). But this feature has cause myself quite a bit of aggravation already and I can't imagine I'm alone.