A recent report revealed that ecommerce provider, Shopify uses particularly weak password policies on the customer-facing portion of its Website. According to the report, Shopify’s requires its customers to use a password that is at least five characters in length and that does not begin or end with a space.
According to the report, Specops researchers analyzed a list of a billion passwords that were known to have been breached and found that 99.7% of those passwords adhere to Shopify’s requirements. While this is not meant to suggest that Shopify customers’ passwords have been breached, the fact that so many known breached passwords adhere to Shopify’s minimum password requirements does underscore the dangers associated with using weak passwords.
The danger of weak passwords in your Active Directory
A recent study by Hive Systems echoes the dangers of using weak passwords. The study examines the amount of time that would be required to brute force crack passwords of various lengths and with varying levels of complexity. According to Hive Systems’ infographic, a five-character password can be cracked instantaneously, regardless of complexity. Given the ease with which shorter passwords can be cracked using brute force, organizations should ideally require complex passwords that are at least 12 characters in length.
Even if you were to put aside the security implications associated with using a five-character password, there is a potentially bigger problem – regulatory compliance.
It’s tempting to think of regulatory compliance as the sort of thing that only large companies have to worry about. As such, many small, independent sellers who open Shopify accounts may be blissfully unaware of the regulatory requirements associated with doing so. However, the payment card industry requires any business that accepts credit card payments to adhere to the Official PCI Security Standards.
Avoiding the PCI requirements with a 3rd party payment system
One of the nice things about using Shopify or a similar ecommerce platform is that retailers do not have to operate their own payment card gateways. Instead, Shopify handles the processing of transactions on their customer’s behalf. This outsourcing of the payment process shields ecommerce business owners from many of the PCI requirements.
For example, PCI standards require merchants to protect stored card holder data. However, when an ecommerce business outsources its payment processing, it will not typically be in possession of customer’s credit card data. As such, the business owner can effectively avoid the requirement to protect cardholder data if they are never in possession of that data in the first place.
One PCI requirement that might be more problematic however, is the requirement to identify and authenticate access to system components (Requirement 8). Although the PCI security standards do not specify a required password length, the PCI DSS Quick Reference Guide states on page 19 that “Every user should have a strong password for authentication.” Given this statement, it would be difficult for an ecommerce retailer to justify using a five-character password.
Start beefing up IT security internally
This, of course, raises the question of what ecommerce companies can be doing to improve their overall password security. Perhaps the most critical recommendation would be to recognize that the minimum password requirements associated with an ecommerce portal might be inadequate. From a security and compliance standpoint, it is usually advisable to use a password that is longer and more complex than what is minimally required.
Another thing that ecommerce retailers should do is to take a serious look at what can be done to improve password security on their own networks. This is especially true if any customer data is stored or processed on your network. According to a 2019 study, 60% of small companies close within 6 months of being hacked. As such, it is extremely important to do what you can to prevent a security incident and a big part of that involves making sure that your passwords are secure.
The Windows operating system contains account policy settings that can control password length and complexity requirements. While such controls are undeniably important, Specops Password Policy can help organizations to build even stronger password policies than what is possible using only the native tools that are built into Windows.
One of the most compelling capabilities offered by Specops Password Policy is its ability to compare the passwords used within an organization against a database of billions of passwords that are known to have been compromised. That way, if a user is found to be using a compromised password, the password can be changed before it becomes a problem.
Specops Password Policy also allows organizations to create a list of banned words or phrases that should not be included in passwords. For example, an administrator might create a policy to prevent users from using your company name as a part of their password.
Additionally, organizations can use Specops Password Policy to block techniques that users commonly use to skirt password complexity requirements. This might include using consecutive repeating characters (such as 99999) or replacing letters with similarly looking symbols (such as $ instead of s).
The bottom line is that Specops Password Policy can help your organization to create a password policy that is vastly more secure, thereby making it more difficult for cybercriminals to gain access to your user accounts. You can test out Specops Password Policy in your Active Directory for free, anytime.