Previous Topic

Next Topic

Book Contents

Book Index

Password

This topic describes the options you have for setting and managing passwords. To access these settings, select Settings, go to the Security Policies section, and select any of the options associated with Password.

The Password requirements set here will be displayed in the web interface where a user, or administrator, is asked to enter a password. For example, if the user is required to enter a password when sending a package, the password requirements will be listed:

Embedded OLE File Template, D75, H100

Length & Complexity

This section controls the minimum password complexity and length requirements for the DMZ system.

Minimum Length: Password of this length and longer are the only passwords allowed. (Passwords can never be blank.) The minimum acceptable value is 4, and the default value is 6.

Complexity Strength: Controls what package of complexity rules are applied to passwords. The default complexity is Minimal.

The passdict.txt file which contains the full password dictionary is located in your d:\moveitdmz or similar folder. (It is not in "Program Files") This file is NOT encrypted and may be modified by any text editor.

Aging & History

This section controls the length of time a password is valid, and how many old passwords to remember.

Password History: Allows Admins the ability to prevent users from reusing passwords. Default value is 0, and the maximum allowed value is 99. Password histories are built as people change their passwords. In other words password histories will not magically appear as soon as an Admin changes his history setting from 0 to 5.

Password Aging: Turns password aging on and off. If enabled, passwords will EXPIRE after the configured number of days. Once a password has expired, the user will be locked out until an administrator can reenable their account. A notification of the password expiration will also be sent to interested administrators and GroupAdmins. Default value is OFF.

Lock out user if password older than: Passwords older than this number of days EXPIRE and will cause their users to be locked out until an administrator can reenable their account. Default value is 120 days, the minimum allowed value is 1, and the maximum allowed value is 9999.

Warn and force password change in advance: When enabled, MOVEit DMZ will EMAIL password expiration notices to the user in advance of their password becoming expired. An email notification will also be sent to interested administrators and GroupAdmins indicating that the user has been informed of the pending expiration of their password. Also, when a user's password is within the configured number of days, the user will automatically be forced to change their password the next time they signon.

How many days in advance: Controls how many days in advance of the password becoming expired a warning will be sent. Also controls how many days in advance of the password becoming expired MOVEit DMZ will begin forcing the user to change their password the next time they sign on. Default value is 10 days, the minimum allowed value is 0, and the value must be less than or equal to the value for the Lock out if older than setting.

When changes to the password aging options are made, the system will check to see if any current users will have their passwords marked as Expired due to the new settings. If any such users are found, a second page will appear asking the administrator if they wish to reset those users' password change stamps to the current time. Doing so will not change the passwords of the users. Instead, it will merely change the internal timestamp associated with each user's password, preventing the passwords from being considered old. If this prompt is declined, affected users will have their passwords marked as Expired during the next nightly scheduled task run.

Permissions

This section determines what abilities users have regarding passwords.

Allow Users to Change Own Password: When set to Yes, users will be able to change their own passwords. When set to No, users will be prevented from changing their own passwords. Default value is Yes.

Allow Admins to Email New Passwords to Users: When set to Yes, administrators will be provided with an option to email new passwords to users when adding a new user or changing an existing user's password. These notifications go out over insecure plain-text email. When set to No, the option will not be provided. Default value is No.

Allow Users to Request Automatic Password Change: When set to Yes, users will be allowed to request a password change from the signon screen. This allows users to reset their own passwords without having to talk to the site's technical support staff. Default value is No. If set to Yes, individual users may still be denied password change requests by enabling the Prohibit user from requesting automatic password changes setting on the user's profile. See the Password section of the User Profile documentation for more details.

Upon clicking the Request password change link on the signon page, the user will be prompted to enter their username. Once they have done so, an email address will be sent to that account's registered email address, if there is one, either with a link to continue the password change request, or a notice that the request was denied. If the link is provided, the user will have a limited amount of time to click the link, which will log them in to the MOVEit DMZ server and force them to change their password.

The length of time a password change request link is active is determined by the Password request codes should expire after setting. Each password change request is issued a unique ID code which identifies it to the server. That ID code is provided in the link sent to the user's email address. If that ID code is not used within the time specified by this setting, it will expire and will no longer be able to be used to reset the user's password.