Allowing or Forcing Password Reset

EFT Server provides the option to force password reset if the High Security module (HSM) is installed and activated. If enabled, users are forced to change their passwords on first use. You can enable the password reset page while disallowing general access to HTTP or HTTPS. When a new user logs in to EFT Server via the HTTP or HTTPS index page, EFT Server redirects the user to the reset page. After the user creates a new password, they are returned to the index page.

icon_info.gif

Password initial reset, expiration, and account management features only apply to GlobalSCAPE and ODBC authentication Sites. These options are not available if other authentication types ( AD, LDAP, etc.) are used. Password security features all apply on the Server, not to individual accounts.

There is no way to ask FTP users to change their password prior to logging in. EFT Server must allow them to login (authenticate), but then prevents any further interaction with their session until they change their password.

Refer to Using the HSM with the Secure Ad Hoc Transfer Module if you are using a PCI DSS Site.

When a user logs in to the HTTPS index page and the Force reset check box is selected, the user is automatically redirected to the reset page if:

To enforce password reset

  1. In the administration interface, connect to EFT Server and click the Server tab.

  2. In the left pane, click the user or Settings Template you want to configure.

  3. In the right pane, click the Security tab.

  4. Select the Allow users to reset their passwords check box.

  5. Select the Force users to reset their passwords check box.

  6. Configure password expiration and invalid login options, if desired.

  7. Click Apply to save the changes on EFT Server.

When a password is reset, EFT Server verifies the new password against complexity criteria and password history, if those features are enabled. Users are not allowed to proceed with their session until a password is created and accepted by the system. If the password is not accepted by the system:

For Sites defined using the "strict security settings" option:

If a Site is running in PCI DSS Compliance mode, warnings appear in the following situations: