Expiring Passwords

Expiring Passwords for the User

The HSM provides a method for resetting the password via FTP and SFTP. (If you do not activate the HSM, this feature is disabled after the 30-day trial expires.)

To expire a password after <n> days

In the administration interface, connect to EFT and click the Server tab.
On the Server tab, click the Site, Settings Template, or user that you want to configure, and then click the Security tab.
If Password expiration options is not available, select the Allow users to reset their passwords check box.
Next to Password expiration options, click Configure. The Password Expiration dialog box appears.
To expire the password after a certain number of days, select the Expire passwords in check box, and then specify the number of days.
Do either or both of the following:
- To send an e-mail when the password is about to expire, select the Send user an e-mail prior to expiration check box.
- To send an e-mail when the password has expired, select the Send user an e-mail upon expiration check box.
Click OK to close the dialog box.
Click Apply to save the changes on EFT.

If reminders are enabled, users are prompted when their account passwords are about to expire and after the account is expired.

The text of the password expired message, below, is stored by default in %systemroot%\ProgramData\Globalscape\EFT Enterprise\PasswordResetMsg.html.

%full_name%, The password for account: %username% has expired. Please change your password at your earliest convenience. Instructions for changing your password via FTP, SFTP, and HTTP/S are provided below for your convenience: 1. Please enter the following URL into your browser: %reset_page% 2. Supply your current password when prompted 3. Enter your new password and confirm 4. If approved, exit the browser and login as normal.

The text of the password expiration reminder message, below, is stored by default in %systemroot%\ProgramData\Globalscape\EFT Enterprise\PasswordResetReminderMsg.html.

% full_name%, The password for account: %username% will expire in %days_left% days. Please change your password at your earliest convenience. Instructions for changing your password via FTP, SFTP, and HTTP/S are provided below for your convenience: 1. Please enter the following URL into your browser: %reset_page% 2. Supply your current password when prompted 3. Enter your new password and confirm 4. If approved, exit the browser and login as normal.

On Sites defined using the "strict security settings," users are forced to change their passwords on first use. Each day it also checks whether passwords are <n> days from expiration, and those passwords are flagged for reminders, if reminders are enabled. All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.

You can enable the password reset page while disallowing general access to HTTP or HTTPS. When a new user logs in to EFT via the HTTP or HTTPS index page, EFT redirects the user to the reset page. After the user creates a new password, they are returned to the index page.

If a user with an expired password logs in over FTP, the user is prompted that the password is expired and must be reset. Until the password is successfully changed, EFT will not process any commands other than changing the password or exiting. If a user with an expired password logs in over SFTP, the user is forced to reset the password before continuing with the login process.

When a password is reset, EFT verifies the new password against complexity criteria and password history, if those features are enabled. Users are not allowed to proceed with their session until a password is created and accepted by the system. If the password is not accepted by the system:

In HTTPS and SFTP, the authentication request will be denied.
In FTP, no further FTP commands will be accepted until a new password is provided that meets complexity and password history requirements, if those features are enabled.

EFT executes cleanup procedures every day at 00:00:00 UTC and at Server Startup. This daily server cleanup removes/disables inactive administrators and user accounts and sends password reset and expiration notifications for every Site. All reminder e-mail messages are sent immediately after flagging the accounts to be reminded.
There is no way to ask FTP users to change their password prior to logging in. EFT must allow them to login (authenticate), but then prevents any further interaction with their session until they change their password.
You can edit the HTML file for the password messages; however, be sure not to change the variables, which are enclosed in percent signs (%text%).
If Expire password in N days is enabled, \manageaccount and the reset page are enabled, the password has expired, and the user logs in with an expired password, EFT automatically redirects the authenticated user to the reset page. (In HTTPS, the user is redirected to the rest page on the HTTPS port.)
When resetting passwords, all password complexity requirements, reuse history, and cyclical password-use checks apply, if those settings are enabled in the administration interface.
If a Site is running in PCI DSS (high security) mode, warnings will appear when you enable or disable settings that may take you out of compliance.