Passwords
At Files.com we take security very seriously. That's why we have provided a set of password configuration options that allow administrators to enforce even the most stringent password security requirements.
An administrator in your Files.com account can set password configuration options grouped together under the Settings > Users > User Settings tab.
API
The Site API will allow you to show or update your site's password settings.
CLI
You can also use the command-line interface (CLI) application to show or update your site settings.
By default, this setting is enabled, and registered users are allowed to reset their passwords without the need to involve an administrator. When a user chooses to reset their password, they are provided a Forgot your password? link on the Login Page.
After clicking that link, the user will be redirected to the Forgot your password? page where they will be prompted for either their Username or Email address.
After the user enters their information and clicks the Recover Password button, an email will be sent containing a link for resetting their password. Clicking the link in the email takes the user to the Set your new password page.
Take note of three important caveats for using the Password recovery via email feature:
- If a user's email account has been compromised without their knowledge, the attacker could also reset the Files.com user account and gain access to that user's files and folders. You can enable Two-Factor Authentication (2FA) to prevent this.
- When creating user accounts on Files.com, it is possible to create new user accounts without email addresses. Any user account without a valid email address cannot use this feature.
- If an email address is associated with more than one user account, users must know their username in order to use the Password recovery via email feature.
Check Your Spam Folder
Password recovery emails are sent from no-reply@files.com unless you have configured Custom SMTP settings.
If you are concerned about the security implications of this capability, you can disable password recovery and require your users to contact an administrator if they lose their password.
Administrators can define up to six different password requirements to meet or exceed your organization's security requirements for secure passwords:
- The number of new password cycles a user must generate and use a new password before they are allowed to choose a previously used password. To allow immediate re-use (not recommended by Files.com), set this value to 0.
- The minimum length of a password
- Does the password need any letters, or can it be all numeric and/or special characters?
- Will a password be valid without containing at least one number (0-9) in it?
- Are passwords required to contain at least one non-alphanumeric character, like symbols or punctuation?
- Should passwords require both upper and lowercase letters?
Files.com offers the ability to validate passwords against a list of common passwords as well as passwords that have been compromised on other sites and published to the dark web. Once enabled, any password that meets this filter will not be able to be used.
Password expiration
A common security requirement for many organizations is setting the maximum age for passwords. If your organization requires passwords to be changed at fixed intervals, then this option will allow your Files.com users to maintain compliance.
If you require verification that a user has changed their password within a set interval, Site Administrators can navigate to Settings > Users and review the "Authentication Method" column.
Within this column, if a user has not updated their password, an "expired" pill icon will be shown next to the user's authentication method. We also send an email notification to the corresponding users 7 days prior to their password expires.
Password expiration has been historically used to guard against brute force attacks on user accounts. Since Files.com automatically offers brute force protection (see Settings > Users > User Settings) you may want to reconsider enabling this feature after reading this article from the Federal Trade Commission, Time to rethink mandatory password changes: "Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely."
When a new site is created, password settings are enabled to meet the security requirements of most Files.com customers:
| Setting name | Default value |
|---|---|
Password recovery via email | Enabled |
Password restrictions | 10 |
Minimum length | 10 |
Requires letter | Yes |
Requires number | Yes |
Requires symbol | Yes |
Requires upper and lowercase letter | Yes |
Prevent use of breachable passwords | Enabled |
Password expiration | Disabled |
Get Instant Access to Files.com
The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.
Start My Free Trial