CMarier
Modular Merchant: Administration
Joined: 06 Mar 2006
Posts: 38
Location: Oregon
|
 Posted: Jun 11, 2008 04:08pm Post subject: New Password Requirements Coming July 2008 |
 |
|
Anyone who's ever been bored enough to read the Modular Merchant forum's "Code of Conduct" is familiar with Modular Merchant's "golden rule" of interpersonal interaction: Don't be a jerk.
Unfortunately, jerks continue to lurk about: parking their car in two spaces at the mall, sitting behind you in the drive-thru with their brights on, and trying day after day to crack your email password so they can hijack your website to deliver billions of fraudulent emails that nobody wants or needs.
This article relates to the last item on that list: securing your store and website against hackers who desire to hijack and do evil with them.
In July 2008, Modular Merchant will be instituting some new requirements for password security. This will affect the passwords of both store admin accounts, and any email accounts hosted on Modular Merchant servers. These new requirements will coincide with the release of a standard software update. This forum article will be updated to include the release date of these requirements, as soon as the date is available.
"So, what will these new password requirements entail? Am I going to rotate my password every fifteen minutes using the ultra-top-secretive Selrach-double-binary-encryption-password-algorithm?"
I'm glad that I pretended that you asked. The new password requirements will be designed to meet the best median between security and manageability. (Admittedly, with the priority being on security.)
Here's the rules in password design:- Passwords must contain at least one of each of the following: a capital letter, a lower case letter, a number and a non-alphanumeric character (such as punctuation).
- The password may not be the same as the Admin account's login or the first part of the email address. (The part of the email address that comes before the "@" symbol.)
- All Admin accounts must have a unique password, and all email accounts must have a unique password.
"Is password security really that big a deal?"
Ohhh, yeah. Here's an example of what can happen: Last May, a client hosted on one of our shared servers had their email password hacked. The password was a compound word, such as "CatBreath". It's probably a password the client had used for years. Unfortunately, the client's domain came to the attention of some spammers, and the email account's password was soon cracked. Within hours, the client's email account had been usurped and was sending out spam and phishing emails at the rate of thousands per minute. The server's mail system was so clogged with outgoing spam (and returned spam that was bounced back) that the entire server's performance began to suffer. Every shopping cart and website hosted on that server started slowing down.
Fortunately, we do have an Action Plan for such a scenario, and as soon as we became aware of what was going on, the email account was closed and unsent spams were deleted. But that was just the start of the cleanup process...
The entire server was flagged by third-party watchdog groups, and within a matter of hours every domain hosted on the server started showing up on spam blacklists. Other, completely innocent, clients on that server started having their emails rejected by various ISPs including HotMail, Comcast, and AT&T. To fix that problem required us to start the tedious process of contacting each spam-watch company and ISP one-by-one to explain the situation and negotiate that the server be removed from their blacklists.
In the end, this one hijacked email account, sending spam for just a few hours, caused a mess that cost Modular Merchant an estimated 37 hours of time to clean up.
"What will happen if I flout the rules and insist on keeping my insecure passwords?"
Depending on the severity of the security concern, Modular Merchant will take one or more of the following steps:- Notices may be sent via email, or posted within the store's administration area, reminding the user(s) to change the specified insecure password(s).
- Modular Merchant technicians may change the password(s) and then notify the user(s) of the password change. The user(s) may then log in and change the password(s) to a new, secure password of their choice.
- Access to the specified email or store admin account(s) may be temporarily revoked by Modular Merchant technicians until the password(s) are updated.
- Modular Merchant may terminate the hosting and/or shopping cart account.
I hope it is obvious that these password requirements are designed to protect both you and your neighbors on your server. I also hope that by posting this announcement about a month in advance, we're providing our clients enough time to prepare for this change. Either way, we encourage your feedback on this topic. Don't be a Nervous Nellie, tell us what you think; use your words!
_________________
CMarier
Modular Merchant - Shopping Cart Software
Specializing in digital delivery, subscription products, and add-on also available. |
|
Advanced Search
Register
Profile
FAQ
Memberlist
Log in
