THE INFORMATION IN THIS ARTICLE APPLIES TO:
SYMPTOM
When using Tunnelier SFTP client, EFT allows the user to change the password to initial the password even though EFT settings prohibit doing so. (i.e., Allow users to reset their passwords, Force user to change their first-time password immediately upon first use, and Prohibit reuse of previous check boxes are all selected.)
RESOLUTION
Use CuteFTP®.
MORE INFORMATION
This is not a defect in EFT, but occurs because of the way that Tunnelier handles password changes. Specifically, after EFT requests a password change, Tunnelier (v4.60) responds by first sending EFT a new blank password, regardless of the password entered by the user. Tunnelier then sends the initial password provided by the user. From the user’s perspective, this appears as if EFT has allowed the user to bypass the "Prevent use of previous" setting. In actuality, the password was first changed to the blank password and then back to the initial password and thus is not applicable to the "Prevent use of previous" setting.
Our testing with other SFTP clients such as CuteFTP 9 and WinSCP 5.15 was unable to reproduce the issue, which seems to indicate that this behavior is unique to Tunnelier.
For details of EFT's password complexity settings, refer to the help documentation.