Configuring Password Expiration on the Site

The High Security module (HSM) provides the option to expire passwords. If you do not activate the HS module, this feature is disabled after the 30-day trial expires.

On Sites defined using the "strict security settings," users are forced to change their passwords on first use. Each day it also checks whether passwords are <n> days from expiration, and those passwords are flagged for reminders, if reminders are enabled. All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.

icon_info.gif

EFT Server executes cleanup procedures every day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site.

You can enable the password reset page while disallowing general access to HTTP or HTTPS. When a new user logs in to EFT Server via the HTTP or HTTPS index page, EFT Server redirects the user to the reset page. After the user creates a new password, they are returned to the index page.

icon_info.gif

Password initial reset, expiration, and account management features only apply to GlobalSCAPE and ODBC authentication Sites. These options are not available for AD/LDAP Sites. Password security features all apply on the Server, not to individual accounts.

There is no way to ask FTP users to change their password prior to logging in. EFT Server allows them to authenticate, but then prevents any further interaction with their session until they change their password.

When a password is reset, EFT Server verifies the new password against complexity criteria and password history, if those features are enabled. Users are not allowed to proceed with their session until a password is created and accepted by the system. If the password is not accepted by the system:

For PCI DSS Sites:

If a Site is running in High Security mode, the warnings appear in the following situations:

To configure the Site to expire passwords after a specific number of days

  1. In the administration interface, connect to EFT Server and click the Server tab.

  2. In the left pane, click the Site that you want to configure.

  3. In the right pane, click the Security tab.

  4. The Password expiration options are only available if the Allow users to reset their passwords check box is selected. If necessary, select the check box.

  5. Next to Password expiration options, click Configure. The Password Expiration dialog box appears.

  6. Select the Expire passwords in <n> days check box and specify the number of days.

    icon_info.gif

    For Sites defined using the "strict security settings", the number of days is set by default to 90 days. If you attempt to change it to fewer than 90 days, or if you clear the check box, a warning message appears.

  7. If you want users to be warned that their password is about to expire, select the Remind <n> days prior to expiration check box.

  8. Do either or both of the following:

  9. Click OK to close the dialog box.

  10. Click Apply to save the changes on EFT Server.

  11. Edit the Password Reset Messages, as desired.