Prohibiting Password Reuse

You can configure EFT Server to remember a user account's previous passwords and not allow a user to submit a new password that is the same as any of the last 4 to 99 prior passwords for that account. You can set this at the Site, Settings Template, and user accounts.

On PCI DSS Sites, password history is enabled by default. If a user attempts to change a password to one of the specified number of passwords previously used for that account, EFT Server denies the password change request. The option is available at the Site, User Setting, and per user.

EFT Server validates any password change attempt for reuse (no special casing), whether via COM or the Administrator, resulting in a prompt (in the Administrator) or an error code (COM).

icon_info.gif

The password history is reset when transitioning from a non-PCI state to a PCI state. For example, if you disable this option, click Apply, then re-enable the option, then click Apply again, the count is started over (the password history is discarded when the option is disabled.)

To enable enforcement of password history

  1. In the administration interface, connect to EFT Server and click the Server tab.

  2. In the left pane, click the user or Settings Template you want to configure.

  3. In the right pane, click the Security tab.

  4. Select the Prohibit reuse of previous check box, then type the number of passwords to remember.

    icon_info.gif

    The number of iterations does not include the current password. For example, if you set password history to 4, and a password change attempt is made, EFT Server first determines whether the new password matches the current password, then evaluates whether the new password matches any of the previous 4 passwords.

  5. Click Apply to save the changes on EFT Server.

Password Reuse Warnings

The following password-reuse violations cause warning messages to appear: