A recent report found that e-commerce provider Shopify uses particularly lax password policies on the customer-facing portion of its website. According to the report, Shopify requires its customers to use a password that is at least five characters in length and does not begin or end with a space.
According to the report, Specops researchers analyzed a list of one billion passwords known to have been breached and found that 99.7% of those passwords adhere to Shopify’s requirements. While this is not meant to suggest that Shopify customers’ passwords have been compromised, the fact that so many known breached passwords adhere to Shopify’s minimum password requirements highlights the risks associated with using weak passwords.
The Risk of Weak Passwords in Active Directory
A recent study by Hive Systems echoes the dangers of using weak passwords. The study examines the amount of time it would take to brute force passwords of different lengths and levels of complexity. According to Hive Systems’ infographic, a five-character password can be cracked instantly, regardless of complexity. Given the ease with which shorter passwords can be cracked using brute force, organizations should ideally require complex passwords that are at least 12 characters long.
Even if you were to set aside the security implications associated with using a five-character password, there is a potentially bigger problem – regulatory compliance.
It’s tempting to think of regulatory compliance as the sort of thing that only large companies should worry about. As such, many small, independent sellers who open Shopify accounts may be very unaware of the regulatory requirements associated with this. However, the payment card industry requires any business that accepts credit card payments to adhere to the Official PCI Security Standards.
Avoiding PCI requirements with a third-party payment system
One of the nice things about using Shopify or a similar e-commerce platform is that retailers don’t have to use their own payment card gateways. Instead, Shopify handles transaction processing on behalf of their customer. This payment process outsourcing protects e-commerce business owners from many of the PCI requirements.
For example, PCI standards require merchants to protect stored cardholder data. However, when an e-commerce business outsources its payment processing, it usually won’t own the customer’s credit card details. As such, the business owner can effectively avoid the requirement to protect cardholder data if they never possess that data in the first place.
However, a PCI requirement that may be more problematic is the requirement to identify and authenticate access to system components (Requirement 8). Although PCI security standards do not specify a required password length, the PCI DSS Quick Reference Guide states on page 19 that “Each user must have a strong password for authentication.” Given this statement, it would be difficult for an e-commerce seller to justify using a five-character password.
Start strengthening IT security from within
This, of course, begs the question of what e-commerce companies can do to improve their overall password security. Perhaps the most critical recommendation would be to recognize that the minimum password requirements associated with an e-commerce portal may be insufficient. From a security and compliance perspective, it is usually advisable to use a password that is longer and more complex than the minimum required.
Another thing e-commerce sellers should do is take a serious look at what can be done to improve password security on their networks. This is especially true if any customer data is stored or processed on your network. According to a 2019 study, 60% of small companies shut down within 6 months of being hacked. As such, it’s extremely important to do what you can to prevent a security incident, and a big part of that includes making sure your passwords are secure.
The Windows operating system contains account policy settings that can control password length and complexity requirements. While such controls are undoubtedly important, Specops Password Policy can help organizations build even stronger password policies than is possible using only the native tools that are built into Windows.
One of the most compelling capabilities offered by Specops Password Policy is its ability to compare passwords used within an organization against a database of billions of passwords known to have been compromised. That way, if a user is found to be using a compromised password, the password can be changed before it becomes a problem.
The Specops Password Policy also allows organizations to create a list of prohibited words or phrases that should not be included in passwords. For example, an administrator can create a policy to prevent users from using your company name as part of their password.
Additionally, organizations can use Specops Password Policy to block techniques that users commonly use to avoid password complexity requirements. This may include using consecutive repeating characters (such as 99999) or replacing letters with similar-looking symbols (such as $ instead of s).
The bottom line is that Specops Password Policy can help your organization create a password policy that is much more secure, thereby making it more difficult for cybercriminals to gain access to your user accounts. You can test the Specops Password Policy in Active Directory for free, at any time.
