RE: [WS_FTP Forum] User password security

[Schuessler, Doug]

Title: User password security

Yes; that is what I mean by all account DB options.

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gillis
Sent: Friday, December 09, 2005 6:32 PM
To: WSFTP_Forum@list.ipswitch.com
Subject: RE: [WS_FTP Forum] User password security

Hello Doug,

 

Thanks for the comments.

 

Yes, the option to allow login would be to only to allow end users to self change their PW, basically taking burden off of the FTP Server Admin.   Blocking all upload/download access would also encourage user to reset but we'd need to communicate this (possibly in the login banner), as you pointed out.  But again, would only be an option and the default state would be to completely block all access.

 

There is an option that whenever the password is changed,  and the option to expire in x days is on, the newly set pw will auto expire x days after each time you change it.

 

For "all user account DB options", do you mean ODBC, Active Directory, etc. or something else (your DB used for authentication)?  

 

Hope that this helps.

 

bye for now,

 

kg

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Schuessler, Doug
Sent: Friday, December 09, 2005 8:40 AM
To: WSFTP_Forum@list.ipswitch.com; [EMAIL PROTECTED]
Cc: Tripp Allen
Subject: RE: [WS_FTP Forum] User password security 

Schuessler, Doug [EMAIL PROTECTED] 

    I was planning that the user would be unable to logon once the password had expired, like any other logon.  I had no considered an ability to allow logon but not any transfers.

 

    The new password features sound appealing.  Would this be available for all user account DB options?  Could the expire feature be set to expire after 'X' days, i.e. - if changed on Jan. 1, 2005, would it then be set to next expire March 31,2005 (90 days later)?  Would there be an ability to warn, at logon, of impending password expire?  Would there be an ability to force password change (or is this the reason for allowing logon after the password has expired?)?

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gillis
Sent: Thursday, December 08, 2005 5:48 PM
To: WSFTP_Forum@list.ipswitch.com; [EMAIL PROTECTED]
Cc: Tripp Allen
Subject: RE: [WS_FTP Forum] User password security

Hi Doug,

 

Excellent feature request.  Turns out, we have a similar feature coming in the next release of WS_FTP Server for which the Beta is starting in January. 

 

It's not final, but we are looking to let you set the following requirements:

 

1. # of former passwords to track

2. Number of special characters (* & #, etc.)

3. Number of numeric characters required

4. Min number of characters required

5. You can also set the expiration date for the password and also have it expire on a specific date (which you set).

 

How would you want expired passwords to be reset?  For example, would it be okay to let a user log into their account and just not allow any transfers (upload/download) until they change their password (provided you have that feature turned on)?

 

Bye for now,

 

kg

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Schuessler, Doug
Sent: Thursday, December 08, 2005 5:19 PM
To: [EMAIL PROTECTED]
Cc: WS_FTP Pro forum LISTSERV
Subject: [WS_FTP Forum] User password security

        We have been using FTP server with NT user database and only allowing users to change password by calling me to change them.  The NT database was used to enforce our password content/complexity requirements (minimum 6 characters, containing at least one each of uppercase, lowercase and a number or special character), since this is not available when using Ws-FTP server to maintain the accounts.  With our latest security audit, we are now required to expire the passwords every ninety days.  This new requirement would mean manual password changes by me are no longer a workable process.  With the loss of control of passwords,  we also would then need a way to replicate the passwords to another system for disaster recovery purposes.  I am looking for suggestions on how to support this new requirement.

<<[EMAIL PROTECTED]>>