According to a recent revelation, the Shopify customer-facing section of its website has extremely lax password requirements. The article claims that Shopify requires its users to create passwords that are at least five characters long and do not contain a space at the start or end.
One billion passwords that were known to have been compromised were examined by Specops researchers, who discovered that 99.7% of them met Shopify’s standards. The fact that so many leaked passwords comply to Shopify’s minimal password criteria, even though this is not meant to imply that Shopify customers’ credentials have been compromised, does highlight the risks of having weak passwords.
The Danger of Weak Passwords in your Active Directory
Hive Systems’ most recent analysis confirms the risks of using weak passwords. The study looks at how long it would take to brute force break passwords of different lengths and degrees of complexity. Regardless of complexity, a five-character password can be instantly broken, according to an infographic from Hive Systems. Organizations should ideally demand complicated passwords that are at least 12 characters long given how easily shorter passwords may be hacked using brute force.
Even if you were to ignore the security risks of employing a five-character password, there is another issue that could be more serious: regulatory compliance. In a similar instance, SLYTECH released a video on its YouTube Channel where it discussed the importance of using a password policy which protects customers from suffering account takeover.
The video highlighted the NIST password guideline which requires a minimum of 8 length character password which should not only focus on length but also focus on complexity. The video also went on to demonstrate how openly available tools could be used to create a custom password list which is most times 90% effective and this is the more reason why companies have to pay major attention to password policies which protects users and workers alike (SEE VIDEO)
It’s tempting to believe that only major corporations need to be concerned about regulatory compliance. As a result, many small, independent sellers that sign up for Shopify accounts can be blissfully oblivious of the corresponding regulatory duties. However, the payment card industry mandates that the Official PCI Security Standards be followed by every company that takes credit card payments.
Avoiding The PCI Requirements With a 3rd Party Payment System
One benefit of adopting Shopify or a comparable ecommerce platform is that merchants are relieved of the responsibility of managing their own payment card gateways. Instead, Shopify takes care of transaction processing on the client’s behalf. Owners of e-commerce businesses are protected from several PCI rules by this outsourcing of the payment process.
For instance, businesses must safeguard stored cardholder data in accordance with PCI requirements. However, when an e-commerce company outsources payment processing, it often does not have access to the credit card information of its customers. As a result, if the business owner never obtains cardholder data in the first place, they can effectively escape the duty to protect such data.
However, the necessity to identify and authenticate access to system components may be a more challenging PCI requirement (Requirement 8). It would be difficult for an online shop to justify having a five-character password given that the PCI security standards do not define a minimum password length and the PCI DSS Quick Reference Guide states on page 19 that “Every user should have a strong password for authentication.”
Start Beefing Up IT Security Internally
This, of course, raises the question of what ecommerce companies can be doing to improve their overall password security. Perhaps the most critical recommendation would be to recognize that the minimum password requirements associated with an ecommerce portal might be inadequate. From a security and compliance standpoint, it is usually advisable to use a password that is longer and more complex than what is minimally required.
Another thing that ecommerce retailers should do is to take a serious look at what can be done to improve password security on their own networks. This is especially true if any customer data is stored or processed on your network. According to a 2019 study, 60% of small companies close within 6 months of being hacked. As such, it is extremely important to do what you can to prevent a security incident and a big part of that involves making sure that your passwords are secure.