Blog

The holidays are over, sales are winding down, and everyone is looking forward to the new year. With all of that going on, password security may be the very last thing on your mind. However, with the DDoS attack earlier this year, the increasing proliferation of the Internet of Things, and talk of New Year’s resolutions, I thought it was actually a great time to talk about best practices for Magento password safety.

Here are our top 10 tips for password security:

• Don’t use your Magento password for anything else. Do not use your Magento password with any other web services (such as email) or any other sites (such as Twitter, Facebook, Flickr, etc.). In the event that a third-party website is hacked, your password becomes vulnerable.
• Bigger is better. Use at least 10 characters.
• Passwords must contain at least two alphabetical characters.
• Mix upper and lower case, punctuation, and numbers. A good rule of thumb is to have at least 2 alphabetical characters, 2 numerical characters and 2 special characters (such as & ^ % * $).
• Passwords should not contain any words in the dictionary or any commonly-used IT login names (e.g., admin, administrator).
• Make sure passwords do not include any personal information (such as names or birth dates).
• Do not store passwords anywhere on your computer or in the cloud.
• Always change passwords immediately after outside developers, writers and designers have completed their work.
• Change all passwords periodically (at least quarterly).
• There are password generators and password manager tools available if your need help creating and keeping track of your strong passwords.

In addition to these tips, there are a few other best practices for password security. First, limit access to required users only. Magento allows you to customize the amount of access each user can have by selecting Permissions then Roles. This area can also be modified in the back end to add more types of role restrictions. Next, whenever possible, use two-factor authentication. This can include entering your password plus, email, phone number, user name, or some other type of identifier. A great two-factor authentication includes a code that is sent via text or email and must be entered, in addition to the password.

These password tips won’t do much good if the rest of your system is not secure. Make sure that your actual computer login password is strong as well, that all your antivirus software is up to date, and that there are no issues on your server. Also, make sure that your checkout options are secure. Check out these payment extensions for enhanced checkout and payment security on your store. Finally, do everything you can to maximize PCI compliance. You can complete a self-administered questionnaire on the official PCI site to determine your current state of compliance.

For more security tips, check out this Magento Tech Resource and our code audit service.