You can configure EFT Server to remember a user account's previous passwords and not allow a user to submit a new password that is the same as any of the last 4 to 99 prior passwords for that account.
On PCI DSS-enabled Sites, password history is enabled by default. If a user attempts to change a password to one of the specified number of passwords previously used for that account, EFT Server denies the password change request. The option is available at the Site, User Setting, and per user.
EFT Server validates any password change attempt for reuse (no special casing), whether via COM or EFT Administrator, resulting in a prompt (EFT Administrator) or an error code (COM).
|
|
The password history is reset when transitioning from a non-PCI state to a PCI state. For example, if you disable this option, click Apply, then re-enable the option, then click Apply again, the count is started over (the password history is discarded when the option is disabled.) |
To enable enforcement of password history
In EFT Administrator, connect to EFT Server and click the Server tab.
In the left pane, click the user or User Setting Level you want to configure.
In the right pane, click the Security tab.
Select the Prohibit reuse of previous check box, then type the number of passwords to remember.
|
|
The number of iterations does not include the current password. For example, if you set password history to 4, and a password change attempt is made, EFT Server first determines whether the new password matches the current password, then evaluates whether the new password matches any of the previous 4 passwords. |
Click Apply to save the changes on EFT Server.
The following password-reuse violations cause warning messages to appear:
If a Site is running in PCI mode and you disable enforcing password history, a warning message appears.
If enforcing password history is enabled and a password change request is made by the end-user (either by a user-initiated password reset or a forced reset), and the new password is the same as any of the specified number of previous passwords, EFT Server rejects the password change attempt. If a password change attempt over HTTP/S fails due to reuse, a warning message appears.
If a user logged in via FTP attempts to change the login password without being prompted (i.e., not a forced reset), and the password fails due to reuse, EFT Server rejects the password change, but the user may continue the FTP session. If the change attempt was due to a forced reset (i.e., require password change on initial login), the user will not be allowed to continue their session until a valid password is provided.
If a password change attempt over SFTP fails due to reuse, EFT Server rejects the change and prompts the user to resubmit a valid password. The user is allowed to continue their session until a valid password is provided.
If a password change attempt in the Administrator Login dialog box fails due to reuse, EFT Server rejects the change attempt, and a warning message appears.
