Password

This topic describes options for setting and managing passwords.

To access these settings: select SETTINGS, go to the Security Policies section, Password row, and click a link.

The Password requirements set here are displayed in the web interface where a user or administrator is asked to enter a password. For example, if the user is required to enter a password when sending a package, the password requirements are listed:

Length & Complexity

This section controls the minimum password complexity and length requirements for the MOVEit Transfer system.

Minimum Length: Password of this length and longer are the only passwords allowed. (Passwords can never be blank.) The minimum acceptable value is 4, and the default value is 6.

Complexity Strength: Controls what package of complexity rules are applied to passwords. The default complexity is Minimal.

• None - A "test" level (not available on the settings tab) which puts NO restrictions on the password other than it cannot be blank. ALL other levels respect the minimum length and history requirements. For example:
  • Legal Passwords: a, linda, hello, linda67, lin67, hello67, lda67, LdA67
  • Illegal Passwords: (blank)
• Almost None - The password cannot MATCH the username. Case-insensitive comparisons are conducted when considering password rules even though the passwords themselves are case-sensitive. Minimum length and history requirements are respected. For example:
  • Legal Passwords: hello, linda67, lin67, hello67, lda67, LdA67
  • Illegal Passwords: a, linda
• Weak - The password cannot CONTAIN the username. It cannot be a short version of the username. Minimum length and history requirements are respected. For example:
  • Legal Passwords: hello, lin67, hello67, lda67, LdA67
  • Illegal Passwords: a, linda, linda67
• Minimal - The password cannot RESEMBLE the username, or vice versa. The first three characters of both the username and the password are used to check for abbreviations. Every password must contain at least one letter and one number. Minimum length and history requirements are respected. For example:
  • Legal Passwords: hello67, lda67, LdA67
  • Illegal Passwords: a, linda, hello, linda67, lin67
• Sturdy - The password cannot RESEMBLE the username, or vice versa. Every password must contain at least one letter and one number. Passwords containing "dictionary words" (as defined in the passdict.txt file) are not allowed. Minimum length and history requirements are respected. For example:
  • Legal Passwords: lda67, LdA67
  • Illegal Passwords: a, linda, hello, linda67, lin67, hello67
• Tough - The password cannot RESEMBLE the username, or vice versa. Every password must contain at least one letter and one number, and there must be a mix of upper and lower case letters. Passwords containing "dictionary words" (as defined in the passdict.txt file) are not allowed. Minimum length and history requirements are respected. For example:
  • Legal Passwords: LdA67
  • Illegal Passwords: a, linda, hello, linda67, lin67, hello67, lda67
• Very Tough - The password cannot RESEMBLE the username, or vice versa. Every password must contain at least one letter, one number, and one special character, and there must be a mix of upper and lower case letters. Passwords containing "dictionary words" (as defined in the passdict.txt file) are not allowed. Minimum length and history requirements are respected. For example:
  • Legal Passwords: LdA6$7
  • Illegal Passwords: a, linda, hello, linda67, lin67, hello67, lda67, LdA67

The passdict.txt file contains the full password dictionary. It is located in the d:\moveitdmz or similar folder. (It is not in "Program Files") This file is NOT encrypted and may be modified by any text editor.

Aging & History

This section controls the length of time a password is valid, and how many old passwords to remember.

Password History: Allows Admins the ability to prevent users from reusing passwords. Default value is 0, and the maximum allowed value is 99. Password histories are built as people change their passwords. In other words password histories will not magically appear as soon as an Admin changes his history setting from 0 to 5.

Password Aging: Turns password aging on and off. If enabled, passwords will EXPIRE after the configured number of days. After a password has expired, the user will be locked out until an administrator can re-enable their account. A notification of the password expiration will also be sent to interested administrators and GroupAdmins. Default value is OFF.

Lock out user if password older than: Passwords older than this number of days EXPIRE and will cause their users to be locked out until an administrator can re-enable their account. Default value is 120 days, the minimum allowed value is 1, and the maximum allowed value is 9999.

Warn and force password change in advance: When enabled, MOVEit Transfer will EMAIL password expiration notices to the user in advance of their password becoming expired. An email notification will also be sent to interested administrators and GroupAdmins indicating that the user has been informed of the pending expiration of their password. Also, when a user's password is within the configured number of days, the user will automatically be forced to change their password the next time they signon.

How many days in advance: Controls how many days in advance of the password becoming expired a warning will be sent. Also controls how many days in advance of the password becoming expired MOVEit Transfer will begin forcing the user to change their password the next time they sign on. Default value is 10 days, the minimum allowed value is 0, and the value must be less than or equal to the value for the Lock out if older than setting.

When changes to the password aging options are made, the system will check to see if any current users will have their passwords marked as Expired due to the new settings. If any such users are found, a second page will appear asking the administrator if they wish to reset those users' password change stamps to the current time. Doing so will not change the passwords of the users. Instead, it will merely change the internal timestamp associated with each user's password, preventing the passwords from being considered old. If this prompt is declined, affected users will have their passwords marked as Expired during the next nightly scheduled task run.

Permissions

This section determines what abilities users have regarding passwords.

Allow Users to Change Own Password: When set to Yes, users will be able to change their own passwords. When set to No, users will be prevented from changing their own passwords. Default value is Yes.

Allow Admins to Email New Passwords to Users: When set to Yes, administrators will be provided with an option to email new passwords to users when adding a new user or changing an existing user's password. These notifications go out over insecure plain-text email. When set to No, the option will not be provided. Default value is No.

Allow Users to Request Automatic Password Change: When set to Yes, users will be allowed to request a password change from the signon screen. This allows users to reset their own passwords without having to talk to the site's technical support staff. Default value is No. If set to Yes, individual users may still be denied password change requests by enabling the Prohibit user from requesting automatic password changes setting on the user's profile. See the Password section of the User Profile documentation for more details.

Upon clicking the Request password change link on the signon page, the user will be prompted to enter their username. Once they have done so, an email address will be sent to that account's registered email address, if there is one, either with a link to continue the password change request, or a notice that the request was denied. If the link is provided, the user will have a limited amount of time to click the link, which will log them in to the MOVEit Transfer server and force them to change their password.

The length of time a password change request link is active is determined by the Password request codes should expire after setting. Each password change request is issued a unique ID code which identifies it to the server. That ID code is provided in the link sent to the user's email address. If that ID code is not used within the time specified by this setting, it will expire and will no longer be able to be used to reset the user's password.