![\"Customer](\"https:\/\/ccbill.com\/kb\/wp-content\/uploads\/2020\/12\/best-password-policies-for-ecommerce-websites.png\")
<\/figure>\n\n\n\nWhy do Ecommerce Websites Need a Password Policy?<\/h2>\n\n\n\n
Humans cannot memorize long and complex character strings. Common and short passwords are easy to guess by using brute force attacks<\/a> and dictionary-based algorithms.<\/p>\n\n\n\n Despite well-documented flaws, the authentication process on most websites<\/a> is heavily reliant on customer passwords due to several factors:<\/p>\n\n\n\n Ecommerce companies<\/a> need to establish policies that prevent unsafe passwords and motivate their customers to create strong credentials. Comprehensive password policy best practices include:<\/p>\n\n\n\n Applying these requirements increases password strength and has minimal impact on customer satisfaction.<\/p>\n\n\n\n Imposing complex passwords for services that do not contain personally identifiable information can be a source of frustration for customers.<\/p>\n\n\n\n Before introducing the suggested policies, determine the level of threat for your business model<\/a> and the type of service you provide. For example, customers are willing to put in additional effort to create strong passwords for essential services and websites that hold sensitive personal information.<\/p>\n\n\n\n Longer passwords are harder to guess. Require your customers to use a minimum of 8 characters<\/strong> when choosing their passwords.<\/p>\n\n\n\n Advise customers to create long passwords and even use whole passphrases if possible. Allow for the use of special characters and spaces.<\/p>\n\n\n\n Particularly long passwords (measured in MB) can affect the performance of underlying systems and strain the password hashing process. You should implement a reasonable restriction for password length. <\/p>\n\n\n\n A maximum length of 64 characters <\/strong>enables customers to create exceptionally strong passwords.<\/p>\n\n\n\n Counter brute-force attacks by locking out accounts after several unsuccessful login attempts. The limitation should permit legitimate users to make mistakes but not allow too many attempts that can result in an attacker guessing the password. The allowed number of failed attempts should not exceed 10 failed logins<\/strong>.<\/p>\n\n\n\n The number of failed attempts can be lower if you apply additional verification systems such as:<\/p>\n\n\n\n Ensure that your system disregards previous failed attempts once the customer\u2019s credentials and IP address are successfully verified.<\/p>\n\n\n\n Note:<\/strong> In case you need to block certain IPs in your Magento store, check out our tutorial How To Block an IP Address in Magento<\/a>.<\/p>\n\n\n\n Maintain blocklists of unacceptable passwords and regularly update their indexes.<\/p>\n\n\n\n Many cyberattacks try to guess passwords using algorithms based on dictionaries. It is vital to prevent customers from using words found in dictionaries as passwords.<\/p>\n\n\n\n Note:<\/strong> Implementing an 8-character password minimum means you only need to include dictionary words that meet that criteria.<\/p>\n\n\n\n Strictly prohibit the use of usernames and passwords that have been compromised in known security breaches and passwords derived from the website\u2019s services. There are numerous online databases like Have I Been Pwned<\/a> that can assist with maintaining up-to-date records.<\/p>\n\n\n\n Merely blocking certain words and passwords is not enough. Ensure that the customer always receives onscreen feedback about why their choice is not acceptable and instructions on how to create a secure password.<\/p>\n\n\n\n Forcing consumers to include upper-case letters, special characters, and numbers in their passwords has not produced the expected results. Complex passwords with different character types are more secure but harder to remember and use.<\/p>\n\n\n\n Customers are regularly exasperated when online services reject their password choices. As a result, users have resorted to predictable patterns. Instead of \u201ciloveyou\u201d, the user can enter \u201cIloveyou1!\u201d and create a formally acceptable password.<\/p>\n\n\n\n Attackers target frequently used character sequences and mangle<\/em> password variations making this requirement highly susceptible to attack. <\/p>\n\n\n\n Insisting on complex passwords has also led customers to write down or unsafely store passwords, severely reducing their value.<\/p>\n\n\n\n To improve password complexity, website owners need to encourage customers to use password managers.<\/strong> Some of the most prominent password managers include LastPass, KeePass, 1Password, and Dashlane.<\/p>\n\n\n Allow customers to paste passwords to streamline the use of password managers and passphrases.<\/p>\n\n\n\n The initial registration and password update pages should contain onscreen password-strength meters<\/strong>. Preemptive password checkers evaluate the content and changes in the password field and calculate the chosen password\u2019s strength.<\/p>\n\n\n\n The strength meter needs to meaningfully explain why certain passwords are not acceptable and provide guidance on how to create strong passwords.<\/p>\n\n\n This proactive approach also discourages customers from slightly tweaking passwords if their initial weak password is rejected. The goal is to motivate customers to willingly<\/em> create robust passwords<\/strong>. <\/p>\n\n\n\n Customers forget passwords all the time. Do not insist on hidden characters (dots or asterisks). Allow customers to see their password while typing. To streamline password creation on mobile devices, display each character for a short time to allow customers to verify their entry.<\/p>\n\n\n\n It has been standard practice to require password changes in predefined periods, for example, every 90 or 180 days. There is no conclusive evidence that this process significantly increases password security.<\/p>\n\n\n\n When prompted, users tend to change their passwords only marginally and use similar patterns. It also increases the pressure on users by forcing them to devise and memorize many passwords. A much better approach is to monitor compromised passwords and ask customers to change passwords only if there is a known issue with their current password.<\/strong><\/p>\n\n\n\n Insisting on intricate and complex passwords frustrates customers and is counterproductive. Users are going to find ways to avoid restrictions and compromise password strength in the process. <\/p>\n\n\n\n More advanced techniques and tools that take some of the pressure away from the end-user are a better choice. Blocklists, secure hashed storage, login rate limiting, customer education, and advanced authentication tools are available even to small business owners.<\/p>\n\n\n\n Keep in mind that attacks associated with passwords are not only affected by password complexity and length. Social engineering, phishing, and logging keystrokes are attack techniques that work regardless of the password\u2019s strength. <\/p>\n\n\n\n It is necessary to combine password protection with other sophisticated methods, such as two-factor authentication<\/a>, risk-based authentication, address-based checks<\/a>, and behavioral analytics.<\/p>\n\n\n\n Conclusion<\/p>\n\n\n\n Use the policies outlined in this article to improve password strength and increase overall security on your ecommerce website<\/a>.<\/p>\n\n\n\n Helping customers understand why they need strong passwords and how to create one is an essential component of a comprehensive password policy.<\/p>\n\n\n\n\n
\n
Best Ecommerce Password Policies<\/h2>\n\n\n\n
1. Minimum Password Length<\/h3>\n\n\n\n
2. Account Lockouts and Delays<\/h3>\n\n\n\n
\n
![\"Basic](\"https:\/\/ccbill.com\/kb\/wp-content\/uploads\/2020\/12\/captcha-password-authentication-policy.jpg\")
<\/figure>\n\n\n\n
\n\n\n\n
\n\n\n\n3. Block Dictionary Words, Usernames, and Compromised Passwords<\/h3>\n\n\n\n
\n\n\n\n
\n\n\n\n4. Password Complexity<\/h3>\n\n\n\n
![\"Images](\"https:\/\/ccbill.com\/kb\/wp-content\/uploads\/2020\/12\/password-managers-password-policy.jpg\")
<\/figure><\/div>\n\n\n5. Use an Onscreen Password-Strength Meter<\/h3>\n\n\n\n
![\"A](\"https:\/\/ccbill.com\/kb\/wp-content\/uploads\/2020\/12\/password-strenght-meter.jpg\")
<\/figure><\/div>\n\n\n6. Mandatory Password Changes<\/h3>\n\n\n\n
Additional Password Policy Considerations<\/h2>\n\n\n\n