Best Practice for Password Safety in eCommerce: Part 1

As an eCommerce merchant, online security is paramount for yourself and your online business. Just last week, Threatpost shared a story about CopperStealer malware that specifically targets Facebook and Instagram business accounts, with the intent of stealing passwords and cookies. Earlier last month, we received word of the largest recorded data breach of all time, wherein an access of “3.2 billion unique pairs of cleartext emails and passwords” were exposed. While passwords may seem insignificant in the vast landscape of online security, they’re a very common stumbling block for eCommerce stores. This is where “password hygiene” comes into play, a term simply meaning “the principles used to create an online password that cannot be easily guessed.”

A common overlooked aspect of password hygiene is the correlation between personal and business password hygiene for the eCommerce merchant. As a business owner, it’s critical to understand that keeping your business and customers safe means implementing best practice for passwords for your business and for your personal dealings online. Collectively, your online actions may possibly pose a threat to your personal online safety, and to the security of your eCommerce solution.

Read on to discover proper password hygiene when it comes to yourself, your employees, and your online business.

Avoid storing passwords in your browser

Certain types of malware or malicious browser extensions may find a vulnerability in your browser, and thereby they can access the data you have stored therein. While the password might not be immediately exploitable, consider the fact that you are accessing various websites with the browser where your sensitive passwords are stored.

Instead, use a password manager

Make use of a password manager such as Dashlane or Lastpass. A password manager requires you to remember just one master password to access your password manager account. The rest of your randomized, complex passwords are all stored within. Once you install the password manager browser extension, it automatically logs you in to websites and autofills information on your behalf (thus saving you time). It doesn’t have to be complicated; in fact, it’s easier than remembering a few simple passwords for different websites. You reap the benefits of secure, unique passwords for each site, that you can change on a regular basis if needed or when compromised. Remember to link an email account for a recovery key, should you lose your master password. The login details for this recovery email account should obviously not be stored in your password manager.

Ensure that you utilize the software’s timeout feature to lock access to your passwords automatically after an idle period of 20 minutes. Also, configure your device(s) to auto-lock after you leave the device (do not leave your device(s) unattended).

Generate your master password

Diceware is a free tool to generate high-entropy passwords. Remember that your master password must be random - it should not contain details relevant to you.

Physical protection of your master password

Here are some helpful hints to keep the master password you use for your password manager safe:

  • Do not write passwords down in a way they can be easily scanned/seen/shot/copied

  • Do not send a password through email

  • Do not use the same channel to send a username and a password (use email, then chat messaging, or text message)

  • Do not include a password in a non-encrypted stored document

  • Do not tell anyone your password

  • Do not reveal your password over the telephone

  • Do not hint at the format of your password

  • Do not reveal or hint at your password in any form online

  • Be careful about letting someone see you type your password

Disconnect yourself from knowing your passwords

This might sound counterintuitive at first - isn’t the everlasting objective in life to remember all of our various passwords? The reason to NOT “know” your passwords is so you cannot mistakenly expose your password to a social engineer. This pertains to your master password, and any other password not linked to your password manager account.

For example, let’s say your password is your dog’s name, and birthday: Lassie050619. If you’ve ever mentioned your dog’s name and birthday to someone, they now have a good chance of guessing your password (if that is their objective). By not knowing your own password, there’s no chance of you ever accidentally revealing this information to a third party.

Another reason to use a randomized, cryptic password is the unknown element of the level of security within the website you’re visiting. They may be encrypting their users’ stored passwords, they might not. If the website you’re visiting is compromised, your login credentials for that site may very well be exposed.

Do not re-use the same passwords

Let’s say you use a very complex and safe password; it’s long, it contains random words, spaces, and special characters. However, if you use this password on several different websites, including your bank login details and your admin login credentials for your eCommerce site, all it takes is for one website to be compromised for a hacker to gain entry to all the sites where your login details were used. If you utilize a unique password for each website through a password manager, it won’t help the hacker one bit to have that one password - simply generate a new password for that one website, and you’re golden.

Never share login details

Keep login details private, and ensure your employees each have individual login details. This lessens the likelihood of a password leak, but if it does happen, you will know whose login details were compromised.

In the case of shared passwords, such as a guest WIFI password, it is advised to assign a custodian to the account. Shared passwords should be changed every other month at least, without reusing the last 3 used passwords and without deriving the new password from the previous one. Do not write the guest WIFI on a whiteboard or on the wall, where a passerby on the street can see it or someone’s webcam can easily pick it up.

Password requirements for your customers

Allow your customers to create complex passwords, with restrictions such as:

  • Minimum Length - 8 characters recommended

  • Usage of both uppercase and lowercase letters

  • Inclusion of one or more numerical digits

  • Inclusion of special characters, such as @, #, $

  • Prohibition of known words from the dictionary (For example, Test123 is easily guessed, but “floor nightshade tomato freebase” is not a password anyone can brute force)

  • Prohibition of words found in the user’s personal information

  • Prohibition of the use of a company name or an abbreviation

  • Prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers

Do not provide “password hints” to your customers who have lost access to their passwords - this is an obvious safety risk.

Keep in mind - security is a (worthwhile) inconvenience

It’s no secret that the kinds of measures we discuss in this article add extra steps to your online routine. It may take longer, but the benefits far outweigh the inconveniences; you’re keeping yourself, your customers, and your system as secure as possible.

Now that you’ve eliminated the obvious vulnerability in your system, see what other security measures you can integrate to ensure a good security posture for your eCommerce solution. Read about our services here.

Stay tuned for Part 2 of our Password Hygiene series!