Title: User password security
Kevin,
You asked: "How would you want expired passwords to be
reset?"
A brilliant solution would be a configurable "grace
time period". If the user logs in during this time, he is advised that he still
has (another configurable) n remaining logins, or he is asked to
immediately change the password if n=0. If he has exceeded the
n logins without having changed the password, or if he did not change
the password immediately if n=0, or if the grace time period in general
has been exceeded, then this user is locked out until an
administrator resets him.
Regards,
Erich
-----Original Message-----
From: Schuessler Doug -
[EMAIL PROTECTED]
Sent:
Friday, December 09, 2005 2:40 PM
To: [email protected];
[EMAIL PROTECTED]
Cc: Tripp Allen
Subject: RE: [WS_FTP
Forum] User password security
I was planning that the user would
be unable to logon once the password had expired, like any other logon. I
had no considered an ability to allow logon but not any
transfers.
The new password features sound appealing.
Would this be available for all user account DB options? Could the
expire feature be set to expire after 'X' days, i.e. - if changed on Jan. 1,
2005, would it then be set to next expire March 31,2005 (90 days
later)? Would there be an ability to warn, at logon, of impending password
expire? Would there be an ability to force password change (or is this the
reason for allowing logon after the password has
expired?)?
Hi
Doug,
Excellent feature request. Turns out, we have a similar
feature coming in the next release of WS_FTP Server for which the Beta is
starting in January.
It's
not final, but we are looking to let you set the following
requirements:
1. #
of former passwords to track
2.
Number of special characters (* & #, etc.)
3.
Number of numeric characters required
4. Min
number of characters required
5. You
can also set the expiration date for the password and also have it expire on a
specific date (which you set).
How
would you want expired passwords to be reset? For example, would it be
okay to let a user log into their account and just not allow any transfers
(upload/download) until they change their password (provided you have that
feature turned on)?
Bye
for now,
kg
We have
been using FTP server with NT user database and only allowing users to change
password by calling me to change them. The NT database was used to
enforce our password content/complexity requirements (minimum 6 characters,
containing at least one each of uppercase, lowercase and a number or special
character), since this is not available when using Ws-FTP server to maintain
the accounts. With our latest security audit, we are now required to
expire the passwords every ninety days. This new requirement would mean
manual password changes by me are no longer a workable process. With the
loss of control of passwords, we also would then need a way to replicate
the passwords to another system for disaster recovery purposes. I am
looking for suggestions on how to support this new requirement.
<<[EMAIL PROTECTED]>>
