How You Configure Staff-Member Passwords
You can strengthen passwords by defining requirements such as minimum password length, maximum number of character repetitions and occurrences, and the minimum number of upper and lowercase characters, numbers, and special characters allowed.
You configure passwords for your staff from the configuration list on the navigation pane (
).The options available to you in setting up password requirements can enhance security on your site as well as help protect your customers’ information. This table describes the security benefits of defining specific requirements for passwords.
Password Configuration | Security Benefit |
---|---|
Number of Invalid Logins | Locking accounts after a designated number of consecutive login failures makes it more difficult, but not impossible, for attackers to use brute-force password cracking. If an attacker is able to obtain an encrypted password, they can guess the algorithm used to encrypt it and simply run different strings looking for a match. While time-consuming, current computing technology makes it possible to guess up to - million passwords per second (and this number increases by 10 percent per year). In B2C Service, the default is five invalid login attempts before the account is locked. |
Expiration Interval | The password expiration interval helps mitigate risk for accounts that have been compromised or accounts that have not been used for long periods of time. By setting a conservative value for the number of days a password stays in effect, you can help lower the risk of attack. (Default = 90.) Note: PCI-compliance
requires expiration interval to be 90 days or less. |
Password Length | While it is helpful to use case changes and special characters to enlarge the character set, enforcing longer passwords is an easy way to improve password strength. (Default = 8.) For example, if 76 characters are used randomly, it takes no more than 12 hours to crack a 6-character password. Cracking time increases to 6 years for an 8-character password, and it would take 230 million years to crack a 12-character password. Of course, password cracking typically takes advantage of the tendency to use common words in passwords so dictionary attacks can break passwords more quickly. For maximum security, even longer passwords (no less than 10 characters) are necessary. For example, a 12-character password composed of 3 words from a 100,000 word dictionary could take more than 7 years to crack. Add a small amount of randomness to the password, and the cracking time rapidly increases to 230 million years. |
Numbers and Special Characters | Requiring numbers and characters can add
to the random factor of a password. They also make it easier for a
user to come up with a password that is easy to remember, but still
unique. For example, |
Uppercase and Lowercase Characters | Requiring a mix of upper and lowercase characters
can add to the random factor of a password. They also make it easier
for a user to come up with a password that is easy to remember, but
still unique. For example, |
Number of Previous Passwords | Password history prevents the repetition of passwords when a staff member changes a password that is set to expire. Enforcing password expiration without setting the number of previous passwords allowed makes password expiration less effective. (Default = 10.) |