Passwords

There are several options to configure the authentication methods for users in order to match the company policies, please refer to Authentication Methods for these options. One of the authentication method is the use of Passwords. At Files.com we take security very seriously. That's why we have provided a set of password configuration options that allow administrators to enforce even the most stringent password security requirements.

A Site Administrator in your Files.com account can enhance compliance and security by configuring various password settings, including enforcing complexity requirements, setting length and expiration policies, preventing password reuse, enabling multi-factor authentication, establishing account lockout rules, and securing password reset procedures. These measures ensure strong, unique passwords and protect against unauthorized access.

By default, this setting is enabled, and registered users are allowed to reset their passwords without the need to involve an administrator. When a user chooses to reset their password, they are provided a Forgot your password? link on the Login Page.

After clicking that link, the user will be redirected to the Forgot your password? page where they will be prompted for either their Username or Email address.

After the user enters their information and clicks the Recover Password button, an email will be sent containing a link for resetting their password. Clicking the link in the email takes the user to the Set your new password page.

Take note some important caveats for using the Password recovery via email feature.

If a user's email account has been compromised without their knowledge, the attacker could also reset the Files.com user account and gain access to that user's files and folders. You can enable Two-Factor Authentication (2FA) to prevent this.

When creating user accounts on Files.com, it is possible to create new user accounts without email addresses. Any user account without a valid email address cannot use this feature.

If an email address is associated with more than one user account, users must know their username in order to use the Password recovery via email feature.

If you are concerned about the security implications of this capability, you can disable the Password recovery via email feature and require your users to contact an administrator if they lose their password.

Password recovery emails are sent from no-reply@files.com, unless you have configured Custom SMTP settings. If you are unable to locate the email, remember to Check Your Spam Folder.

Administrators can define up to 6 different password requirements to meet or exceed your organization's security requirements for secure passwords:

After modifying the password restrictions, existing users will need to comply with the new rules when resetting their current passwords, while new users must follow these rules when creating their passwords.

Changing your password restrictions will not result in your existing users being forced to change their current passwords.

Files.com offers the ability to validate passwords against a list of common passwords as well as passwords that have been compromised on other sites and published to the dark web. Once enabled, any password that meets this filter cannot be used.

Files.com maintains a database of commonly used passwords. These are passwords that are frequently chosen by users and are therefore more susceptible to being guessed or cracked by attackers. Passwords that match entries in this list are considered breachable.

Files.com monitors the dark web for leaked password databases from breaches of other websites. When a new breach occurs and passwords are leaked, they are often sold or distributed on the dark web. Files.com tests user passwords against these leaked databases to see if there are any matches. If a password matches one from a known breach, it would be flagged as breachable.

A common security requirement for many organizations is setting the maximum age for passwords. Use this option if your organization requires passwords to be changed at fixed intervals to maintain compliance.

After modifying the password expiration interval, the new interval applies to existing and new users based on the updated interval. For example, if an existing user last reset their password 120 days ago and the new expiration interval is set to 90 days, their password will automatically expire, and the user will be forced to reset their password the next time they attempt to log in.

Password expiration has been historically used to guard against brute force attacks on user accounts. Since Files.com automatically offers brute force protection and Unlocking Users, you may want to reconsider enabling this feature after reading this article from the Federal Trade Commission, Time to rethink mandatory password changes: "Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely."

If you require verification that a user has changed their password within a set interval, Site Administrators can navigate to the Users page and review the Authentication Method column.

Within this column, if a user has not updated their password, an expired pill icon will be shown next to the user's authentication method. We also send an email notification to the corresponding users 7 days prior to their password expires.

When a new site is created, password settings are enabled to meet the security requirements of most Files.com customers: