From: Kevin Gillis - [EMAIL PROTECTED]
Sent: Monday, December 12, 2005 4:09 AM
To: [email protected]
Subject: RE: [WS_FTP Forum] User password security
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]
Sent: Friday, December 09, 2005 1:12 PM
To: [email protected]
Subject: RE: [WS_FTP Forum] User password securityKevin,You asked: "How would you want expired passwords to be reset?"A brilliant solution would be a configurable "grace time period". If the user logs in during this time, he is advised that he still has (another configurable) n remaining logins, or he is asked to immediately change the password if n=0. If he has exceeded the n logins without having changed the password, or if he did not change the password immediately if n=0, or if the grace time period in general has been exceeded, then this user is locked out until an administrator resets him.Regards,Erich-----Original Message-----
From: Schuessler Doug - [EMAIL PROTECTED]
Sent: Friday, December 09, 2005 2:40 PM
To: [email protected]; [EMAIL PROTECTED]
Cc: Tripp Allen
Subject: RE: [WS_FTP Forum] User password securityI was planning that the user would be unable to logon once the password had expired, like any other logon. I had no considered an ability to allow logon but not any transfers.The new password features sound appealing. Would this be available for all user account DB options? Could the expire feature be set to expire after 'X' days, i.e. - if changed on Jan. 1, 2005, would it then be set to next expire March 31,2005 (90 days later)? Would there be an ability to warn, at logon, of impending password expire? Would there be an ability to force password change (or is this the reason for allowing logon after the password has expired?)?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gillis
Sent: Thursday, December 08, 2005 5:48 PM
To: [email protected]; [EMAIL PROTECTED]
Cc: Tripp Allen
Subject: RE: [WS_FTP Forum] User password securityHi Doug,Excellent feature request. Turns out, we have a similar feature coming in the next release of WS_FTP Server for which the Beta is starting in January.It's not final, but we are looking to let you set the following requirements:1. # of former passwords to track2. Number of special characters (* & #, etc.)3. Number of numeric characters required4. Min number of characters required5. You can also set the expiration date for the password and also have it expire on a specific date (which you set).How would you want expired passwords to be reset? For example, would it be okay to let a user log into their account and just not allow any transfers (upload/download) until they change their password (provided you have that feature turned on)?Bye for now,kg-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Schuessler, Doug
Sent: Thursday, December 08, 2005 5:19 PM
To: [EMAIL PROTECTED]
Cc: WS_FTP Pro forum LISTSERV
Subject: [WS_FTP Forum] User password securityWe have been using FTP server with NT user database and only allowing users to change password by calling me to change them. The NT database was used to enforce our password content/complexity requirements (minimum 6 characters, containing at least one each of uppercase, lowercase and a number or special character), since this is not available when using Ws-FTP server to maintain the accounts. With our latest security audit, we are now required to expire the passwords every ninety days. This new requirement would mean manual password changes by me are no longer a workable process. With the loss of control of passwords, we also would then need a way to replicate the passwords to another system for disaster recovery purposes. I am looking for suggestions on how to support this new requirement.
<<[EMAIL PROTECTED]>>
