Enforcing Password Reset at the Site Level

EFT Server provides the option to force password reset. On HS-PCI-enabled Sites, users are forced to change their passwords on first use.

You can enable the password reset page while disallowing general access to HTTP or HTTPS. When a new user logs in to EFT Server via the HTTP or HTTPS index page, EFT Server redirects the user to the reset page. After the user creates a new password, they are returned to the index page.

Password initial reset, expiration, and account management features only apply to GlobalSCAPE and ODBC authentication Sites. These options are not available if other authentication types (AD, LDAP, etc.) are used. Password security features all apply at the Server level, not to individual accounts.

There is no way to ask FTP users to change their password prior to logging in. We must allow them to actually login (authenticate) but then prevent any further interaction with their session until they change their password.

When a user logs in to the HTTPS index page and the Force reset check box is selected, the user is automatically redirected to the account-management page if:

To configure the Site enforce password reset

  1. In EFT Administrator, connect to EFT Server and click the Server tab.

  2. In the left pane, click the Site that you want to configure.

  3. In the right pane, click the Site Options tab.

  4. Next to Allow users to reset their passwords, click Advanced. The Reset Password Settings dialog box appears.

  5. Select the Force users to reset their passwords on initial login check box, then click OK.

  6. Click Apply to save the changes on EFT Server. Users will be prompted to change their password when they log in to the Site.