PCI DSS requirement 8.5.10 states that you should require a minimum password length of at least seven characters. PCI DSS requirement 8.5.11 states that you should use passwords containing both numeric and alphabetic characters.
EFT Server's HS-PCI module allows you to enforce the use of complex passwords. If you do not activate the HS-PCI module, this feature is disabled after the 30-day trial expires.
|
|
PCI DSS requirement 8.5.10 states that you should require a minimum password length of at least seven characters. PCI DSS requirement 8.5.11 states that you should use passwords containing both numeric and alphabetic characters. |
When you create or update a user account, you can require the user to create strong (complex) passwords. Complex passwords are enabled by default when you create a HS-PCI-enabled Site. A complex password must meet the following criteria:
Minimum length (from 6 to 99 characters).
Contain N or more characters from the user's account name
Not contain N or more repeating characters.
Not be comprised solely of a word in a dictionary file (forward or backwards)
Contain at least one character from each of the following categories. The number of characters can never be fewer than the number of chosen categories, but can be greater.
English uppercase characters (A - Z)
English lowercase characters (a - z)
Base 10 digits (0 - 9)
Non-alphanumeric (for example: !, $, #, or %) or Unicode characters
For example, suppose you specified the password must be at least 6 characters, then in the Character categories area, you selected Uppercase, Lowercase, and Numeric, then the password must contain at least one uppercase character, one lowercase character, and one digit. So in this case, a password could be A5s3*v35, but not a5s3*v35, because you specified that a password should have at least one uppercase letter.
|
|
When using EFT Server with the Secure Ad Hoc Transfer (SAT) module, if the password settings are set to use a minimum of more than 20 characters, the SAT temporary user creation will fail. If your Site's complex password settings require more than 20 characters, be sure to configure the Ad-Hoc User Setting Level to override the Site's password settings so that complex passwords for Ad-Hoc users contain fewer than 20 characters. |
To enforce complex passwords on user accounts
In EFT Administrator, connect to EFT Server and click the Server tab.
In the left pane, click the user or User Setting Level you want to configure, then click the Security tab.
Select the Enforce strong (complex) passwords check box.
Click Advanced. The Password complexity settings dialog box appears.
|
|
If the check box and Advanced button are grayed out, they are inheriting the setting from the Site on the Site Options tab. |
Specify the password complexity per the guidelines in the table below:
|
Field |
Default |
Min/Max Values |
|
Minimum password length |
8 |
6 - 99 |
|
The password must contain characters from at least N of the following categories:
|
3 categories |
2 categories, up to the maximum password length |
|
Must not contain N or more characters from the user name |
3 |
2 characters, up to maximum password length |
|
Must not contain N or more repeating characters. |
3 |
2 characters, up to maximum password length |
|
Must not consist solely of a word in the following Dictionary file. (Click
the ellipse icon |
on |
n/a |
|
Must not be a dictionary word backwards |
off |
n/a |
|
|
The dictionary file cannot exceed 10 MB. If you exceed the file size, the Event log will indicate that not all of the file could be loaded. If the dictionary file is not available, EFT Server operations will continue and a log error is written to the Event log. |
Click OK to save the settings or Cancel to keep existing settings.
Click Apply to save the changes to EFT Server.
|
|
COM-created accounts are not subject to complexity requirements unless the CreateComplexPassword method is used. Refer to http://help.globalscape.com/help/eft5_com/ for details. |
to
select a file.)