Security Update and Merit Badge Counselors
Close
- Quick Nav
-
This popup contains your top 10 most visited pages.
Get quick access to your favorite links no matter where you are on Scoutbook. They're just a click away!
Got it...thanks!
Security Update and Merit Badge Counselors
Published: Sep 2, 2016
Share this blog post with your friends!
View 64 Comments
Occasional blog of Bob Scott, BSA’s Director of Scoutbook
Security Update
On August 25th I posted on the upcoming changes Scoutbook would are making to better protect personal information that Scouts and Scouters have shared with Scoutbook by increasing the complexity of passwords. This work has been implemented for new users setting up accounts for the first time, temporary passwords and for current users requesting a password change.
On September 15th Scoutbook will enforce the functionality for all users. At that time, when a user logs into Scoutbook they will be required to change their password to meet the new complexity requirements.
As development went forward there were some small changes in the complexity standards to maintain compatibility throughout the BSA and Scoutbook infrastructure. The standards as released are as follows with the changes in bold:
-Minimum of eight alpha-numeric characters and a maximum of thirty
-Must contain characters from three of the four following ‘complexity’ categories:
* English uppercase characters (A through Z)
* English lowercase characters (a through z)
* Numbers 0 through 9
* Non-alphanumeric characters _ ~ ! @ # $ + - = { } ^
Merit Badge Counselor Update
Also in previous blogs I have written about the work going on with some councils (approximately 120 now) to enable the upload of council approved merit badge counselors to Scoutbook. According to the Guide to Advancement, counselors are BSA positions approved by councils.
Consistent with this policy, Scoutbook is currently working on changes to how unit roster imports work. When this work is completed, roster uploads from third party advancement tools or via the Scoutbook CSV format will no longer add counselors to a unit’s roster.
Coming Attractions
Development priorities in the software area constantly shift as new opportunities are identified, bugs found, and user’s request more capability. So, in the spirit of Semper Gumby (always flexible), Scoutbook’s development priorities in the short term are as follows:
- Fixing bugs in new unit creation having to do with unit numbers
- Adding functionality to the previously released Lion program
- Revamping Training Validation to adapt to the new online training being offered so that training status is correct for leaders in Scoutbook
- Adding the Cub Scout Shooting Sports Award
TTFN. As always, your comments and concerns about this post or any other subject are welcome.
@Stephen and @Ed, since you are on the Scoutbook advisory committee, do you ever ask when Scoutbook will start implementing new features or have you given up also?
@Alex, the BSA has owned Scoutbook for 1 1/2 years. How long do we allow them to build infrastructure before we are allowed to complain about the lack of new features?
Woops. Didnt read through the entire chain above. Still in the works I see. No worries and thanks for making this happen I am sure sometime by end of 2016. It will be a wonderful update.
Scoutbook uses this method to store passwords, thus there is no way to know if you password meets the requirements. This is also why when you click on Forgot Password, you are sent a new password, not your existing password.
My council has a video of how it will look to a troop leader here:
https://www.youtube.com/watch?v=7280_DAhHFA
And how it will look to a MBC here:
https://www.youtube.com/watch?v=JD45S4RmKf0
https://drive.google.com/file/d/0B7eow1old_bYTnB2N29ydFlXV0E/view?usp=sharing
Approved by the xxxxx Council
Also the checkmarks next to the merit badges listed under the MBC name will be blue
And lastly there will be a youth protect icon and training expiration date shown below the name
Also, I'm not entirely sure why you're limiting to just 32 characters, though I'm also not a huge fan of when people demand support for 256-character and beyond passwords...
The latest guidance from the National Institute for Standards and Technology (NIST 800-63B, see official copy here: https://pages.nist.gov/800-63-3/sp800-63b.html) includes the guidance for "Memorized Secrets" (passwords) in Section 5.1.1:
* 8 characters in length
* Should permit to at least 64 characters
* Should accept all printing ASCII characters as well as Unicode
* Blacklist of compromised passwords is permissible (server-side rejection of known-compromised passwords)
* *** No other complexity requirements should be imposed *** (emphasis mine)
Much of this security is predicated on use of blacklists and a strong hashing function. What hashing function are you using? It should be a modern function (such as PBKDF2, bcrypt, scrypt, or Argon2), not something older like SHA or MD5. Those latter functions are not designed for password use and are too easily brute forced in the event of a server compromise. So even if you can't stomach the new suggestions (and I admit I've grown used to complexity requirements), at least allow all printable ASCII in the passwords. Again, if you've been told that certain characters are "dangerous" for security reasons, then you've been told wrong....
As I said, computer security (mobile and web application testing) is what I do for a living, so this kind of hits home. :) If you're curious, I'm happy to discuss the kinds of things we (and other similar firms) test for, in general terms... (I'm not a salesperson and would never ever want to be, but I do think that it's important to get a professional security evaluation on a regular basis, no matter who you get it from).
I too know something about security. If you go look at IBM's entry to the AES competition from the late 1990s, you will find my name as one of the developers. While I'm just a member of the SUAC and a volunteer, I do try to look out for the security of SB. I have never seen the code, but I am confident, with the type of information stored in SB, the current security is sufficient.
What other password requirements are going to be put on us? Changing every 45 days... is that in the plans as well. I am not for make too many changes as most of the parents within my units are not all that Technologically savvy as I am. I am also spending way to much time tutoring them in this product that does not see to have a good solid training program.
We recommend using report builder to make a report for the scouts instead of the Individual Advancement report. The BSA's updated report for the adventure program does not provide the information needed for leaders or scouts. Report Builder will provide the current status for all adventures and rank requirements. With the Chrome extension you can dump the data into a spreadsheet and format it any way you like. Search the chrome app store for Scoutbook.
--Our Boy Scout troop has migrated to Scoutbook. There are many great features from an Advancement Chair's perspective but reporting could be more robust when compared to the previous software. For example, the following reports were used frequently by our troop: Eagle Scout Application, Board of Review (we do 60+ per year), and OA Eligibility -- all OA reporting by unit. I have searched Scoutbook --where is reporting other than the individual progress report? In many cases the Scout or adult leader can now do his/her own reporting (yeah from the Advancement Chair's perspective)--e.g. Eagle Scout Application but the report still needs to exist for the Scout.
--I like the "report" at the bottom of some screens (e.g. progress on a specific rank by all scouts at that rank) but I cannot find a way to report on that information. The ability to "configure" the report so I can select by scout, patrol, alphabetical, content, etc. would be great. Is reporting configuration on the product roadmap?
--The role of Advancement Chair which many troop committees have is not recognized in Scoutbook so the choice is Admin (not Key 3 and not Secretary). Is that the approach we should be taking?
If there are other Advancement Chairs using Scoutbook who would like to collaborate, I would like to create a group. Please respond to this post.
YIS--Ella
There is a position called committee advancement coordinator, but you should probably also be an admin.
For discussion for other advancement chairs, I'd suggest looking at the forums, especially Boy Scouting and Using Scoutbook. Those have the advantage that you can subscribe to a post to receive emails when responses are posted.
Can anyone explain why the MBC maintenance tools that already existed in Scoutbook (the ones that were taken away from the unit admins) were not made available to the Council admin? It would have also been nice to make the training reports available to the Council admin so they could see which MBC were coming up on YPT renewal. Since these features already exist in Scoutbook it would have been preety easy to make them available.
Delete Comment?
Are you sure you want to delete your comment?
This action cannot be undone.