A recent report revealed that e-commerce provider Shopify uses particularly weak password policies on the customer-facing part of its website. According to the report, Shopify requires its customers to use a password that is at least five characters long and does not start or end with a space.
According to the report, Specops researchers analyzed a list of one billion passwords known to have been hacked and found that 99.7% of those passwords met Shopify’s requirements. While this does not mean that Shopify customer passwords have been hacked, the fact that so many known hacked passwords meet Shopify’s minimum password requirements underscores the dangers associated with hacking. use of weak passwords.
The danger of weak passwords in your Active Directory
A recent study by Hive Systems echoes the dangers of using weak passwords. The study examines how long it would take to brute force passwords of different lengths and with different levels of complexity. According to Hive Systems’ infographic, a five-character password can be cracked instantly, no matter how complex. Given the ease with which shorter passwords can be cracked by brute force, organizations should ideally require complex passwords of at least 12 characters.
Even if you were to put aside the security implications associated with using a five-character password, there is a potentially bigger issue: regulatory compliance.
It’s tempting to think that regulatory compliance is the kind of thing only big companies need to worry about. As such, many small independent sellers who open Shopify accounts may be blissfully unaware of the regulatory requirements associated with it. However, the payment card industry requires any business that accepts credit card payments to meet official PCI security standards.
Avoiding PCI Requirements with a Third-Party Payment System
One of the benefits of using Shopify or a similar e-commerce platform is that retailers don’t have to operate their own payment card gateways. Instead, Shopify handles transaction processing on behalf of its client. This outsourcing of the payment process protects e-commerce business owners from many of the PCI requirements.
For example, PCI standards require merchants to protect stored cardholder data. However, when an e-commerce business outsources its payment processing, it will usually not have possession of the customer’s credit card data. As such, the business owner can effectively avoid having to protect cardholder data if they never have that data in the first place.
However, one PCI requirement that might be more problematic is the requirement to identify and authenticate access to system components (Requirement 8). Although PCI security standards do not specify a required password length, the PCI DSS Quick Reference Guide states on page 19 that “Each user should have a strong password for authentication.” Given this statement, it would be difficult for an e-commerce retailer to justify using a five-character password.
Start building IT security internally
This, of course, begs the question of what e-commerce businesses can do to improve their overall password security. Perhaps the most critical recommendation would be to recognize that the minimum password requirements associated with an e-commerce portal might be inadequate. From a security and compliance perspective, it’s generally a good idea to use a longer and more complex password than the minimum required.
Another thing e-commerce retailers should do is seriously consider what can be done to improve password security on their own networks. This is especially true if customer data is stored or processed on your network. According to a 2019 study, 60% of small businesses close within 6 months of being hacked. As such, it’s extremely important to do what you can to prevent a security incident and a big part of that involves making sure your passwords are secure.
The Windows operating system contains account policy settings that can control password length and complexity requirements. While these controls are undeniably important, Specops Password Policy can help organizations create even stronger password policies than is possible using only the native tools built into Windows.
One of the most compelling features offered by Specops Password Policy is its ability to compare the passwords used within an organization against a database of billions of passwords known to have been compromised. So if a user is found to be using a compromised password, the password can be changed before it becomes a problem.
The Specops Password Policy also allows organizations to create a list of prohibited words or phrases that should not be included in passwords. For example, an administrator can create a policy to prevent users from using your company name in their password.
Additionally, organizations can use Specops Password Policy to block techniques that users commonly use to circumvent password complexity requirements. This can include using consecutive repeated characters (such as 99999) or replacing letters with similar symbols (such as $ instead of s).
Ultimately, Specops Password Policy can help your organization create a much more secure password policy, making it harder for cybercriminals to gain access to your user accounts. You can test the Specops password policy in your Active Directory for free, at any time.