Passwords
Passwords authenticate users who connect to Files.com using password-based login methods. These methods include standard username/password authentication and password authentication combined with SSH key authentication.
Password policies control the strength and expiration rules applied to plaintext passwords.
Password Policy
Each site defines a password policy that governs how plaintext passwords must be structured. The policy may define requirements such as minimum length, complexity rules, and expiration periods.
When a user sets or changes a password, the password must satisfy the site's password policy.
Password policies apply only to plaintext passwords. They are enforced whenever a user creates a new password or changes an existing password.
Generating Passwords
When you are using the web interface, each password field lets you automatically generate the password and copy the new password. Generated passwords use all of your site's password settings, including length and complexity.
Password Recovery via Email
By default, this setting is enabled, and registered users can reset their passwords without involving an administrator. When a user chooses to reset their password, they are given a Forgot your password? link on the Login Page.
After clicking that link, the user is redirected to the Forgot your password? page, where they are prompted for either their Username or Email address.
After the user enters their information and clicks the Recover Password button, an email is sent containing a link for resetting their password. Clicking the link in the email takes the user to the Set your new password page.
A few caveats apply to this feature.
If a user's email account has been compromised without their knowledge, the attacker can also reset the Files.com user account and gain access to that user's files and folders. Enable Two-Factor Authentication (2FA) to prevent this.
User accounts can be created on Files.com without email addresses. Any user account without a valid email address cannot use this feature.
If an email address is associated with more than one user account, users must know their username to use the Password recovery via email feature.
If you are concerned about the security implications of this capability, disable the Password recovery via email feature and require your users to contact an administrator if they lose their password.
Password recovery emails are sent from no-reply@files.com, unless you have configured Custom SMTP settings. If you are unable to locate the email, remember to Check Your Spam Folder.
Password Restrictions
Administrators can define up to 6 different password requirements to meet or exceed your organization's security requirements for secure passwords:
| Requirement | Details |
|---|---|
| Reusing old passwords | The number of new passwords a user must cycle through before they can choose a previously used password. To allow immediate re-use (not recommended by Files.com), set this value to 0. Allowed values are between 0 and 30. |
| Minimum length | The minimum length of a password. Allowed values are between 1 and 512. |
| Letters | Whether the password must contain at least one letter. |
| Numbers | Whether the password must contain at least one number (0-9). |
| Symbols | Whether the password must contain at least one non-alphanumeric character, such as a symbol or punctuation. |
| Letter case | Whether the password must contain both upper and lowercase letters. |
After modifying the password restrictions, existing users must comply with the new rules when resetting their current passwords, and new users must follow these rules when creating their passwords.
Changing your password restrictions does not force existing users to change their current passwords.
Prevent Use of Breachable Passwords
Files.com validates passwords against a list of common passwords and against passwords that have been compromised on other sites and published to the dark web.
Files.com maintains a database of commonly used passwords. These are passwords frequently chosen by users, and they are more susceptible to being guessed or cracked by attackers. Passwords that match entries in this list are considered breachable.
Files.com monitors the dark web for leaked password databases from breaches of other websites. When a new breach occurs and passwords are leaked, they are often sold or distributed on the dark web. Files.com tests user passwords against these leaked databases. If a password matches one from a known breach, it is flagged as breachable.
Once enabled, this setting prevents existing and new users from setting passwords that match the filter. Existing passwords matching the filter are flagged as breachable but existing users are not forced to change their current passwords.
Password Expiration
Many organizations require a maximum age for passwords. Use this option if your organization requires passwords to be changed at fixed intervals to maintain compliance. The password expiration setting does not apply to Shared/Bot users.
After modifying the password expiration interval, the new interval applies to existing and new users. For example, if an existing user last reset their password 120 days ago and the new expiration interval is set to 90 days, their password expires immediately, and the user is forced to reset their password the next time they attempt to log in.
Reconsidering Password Expiration
Password expiration has historically been used to guard against brute force attacks on user accounts. Files.com automatically offers brute force protection and Unlocking Users, so consider whether mandatory expiration is still necessary. The Federal Trade Commission article Time to rethink mandatory password changes summarizes the research: "Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely."
Password Expiration Reminders
The system sends password expiration reminders to the user at 28, 14, 7, and 1 day(s) before expiration.
Per-User Password Expiration Override
Site Administrators can override the site-wide password expiration setting for individual users. For each user, choose from these three options: Use Site Setting, a custom day count, and Never Expires.
Use Site Setting applies the site-wide expiration interval to that user and is the default setting. A custom day count sets a user-specific interval, independent of the site-wide policy. Never Expires prevents that user's password from expiring regardless of the site-wide setting.
Never Expires is designed for service accounts and automation users. These accounts store credentials in external systems or scripts where a forced password reset breaks an integration.
Importing Passwords From Another System
When migrating users from another platform, existing password hashes can be imported so that users can continue using their current passwords.
To import password hashes, set the authentication method to password_with_imported_hash and provide the hash value in the password field.
Files.com detects supported hash formats automatically based on the hash prefix.
Imported hashes bypass the password policy validation because the plaintext password is not available during migration.
First Login Behavior
When a user logs in for the first time after a hash import, Files.com verifies the provided password against the imported hash.
After successful authentication, the password is converted to Files.com's internal password storage format (PBKDF2). This conversion occurs automatically and does not require administrator intervention.
Password Changes After Import
When a user changes their password after the initial login, the new password must satisfy the site's password policy.
Authentication Methods That Use Passwords
The following authentication methods rely on password credentials:
| METHOD | DESCRIPTION |
|---|---|
password | Standard password authentication. |
password_and_ssh_key | Authentication requires both a password and an SSH key. |
password_with_imported_hash | The password value provided during user creation is an imported hash rather than plaintext. |
Default Settings for Passwords
When a new site is created, password settings are enabled to meet the security requirements of most Files.com customers:
| Setting Name | Default Value |
|---|---|
| Password recovery via email | Enabled |
| Password restrictions | |
Do not allow the last n passwords to be reused | 10 |
| Minimum length | 10 |
| Requires letter | Yes |
| Requires number | Yes |
| Requires symbol | Yes |
| Requires upper and lowercase letter | Yes |
| Prevent use of breachable passwords | Enabled |
| Password expiration | Disabled |
| Brute force protection | Use default Files.com protection |