Screen: ShopSite > Utilities > Change Password > Password Security Guidelines

Password Security Guidelines

Having a good password is an important key to protecting payment information and other sensitive data. Passwords are the front-line tool for keeping intruders out, and good password practices in all situations are essential for security. The following guidelines are intended to help you create and use good passwords.

A good password must be:

• Unique
• Hard to Guess
• Long and Mixed
• Changed Frequently

Uniqueness

One of the best ways to keep a password safe is to use unique passwords for each system. This means that the login password on your local PC is different from the login password on your server, and the login password you use for ShopSite is different from either of the others. Remembering multiple passwords may be a headache, but it's considerably easier than dealing with the consequences of a malicious hacker gaining access to your customer payment information.

There are numerous methods that can be used to help with passwords. One of the easiest to use is a mnemonic, or a memorable word or phrase. For example, if you enjoy classical music, you could base a password on the name of a favorite composer or piece of music. Remember not to use something easy to guess; if you are selling classical music, the same technique might not be as prudent. Another great mnemonic technique is to form a group of letters into a word you can remember. You may remember the word "Qwerty" from learning to type; coming up with a way to pronounce the letters in your password can be equally useful.

Hard to Guess

A good password is difficult for someone to guess. That means not using easy to obtain information such as your name, birthday, phone number, or the year you graduated from high school, or similar information from family members, pets, or your business. If you are basing your password on something memorable, pick obscure references that are not easily associated with you.

The second element of making passwords hard to guess is to avoid using words or phrases that would be found in a dictionary. This applies as much to words in other common languages as to your own language. Substituting numerals for similar letters will make your password harder to guess, but won't prevent a competent hacker from guessing a password based on a common dictionary word.

Completely random strings are the most difficult to guess, but can also be the hardest to remember unless you can come up with a mnemonic for it. Blending parts of words together to form a new word can be one way to make a memorable password; Bach's Toccata and Fugue in D Minor could become "t0cnfgdm1n", which is considerably less likely to be guessed.

Long and Mixed

The more characters in your password, the lower the probability that it will be guessed. Security experts recommend a minimum of seven characters for a strong password. Making a password too long may make it difficult to remember, and there are limits to password length in many systems, so you may want to avoid passwords longer than 10 characters.

A good password must also combine alphabetic characters with numerals. Your password should have at least one numeral in it, preferably not at the beginning or end. Substituting a numeral for a similar character is a popular practice, and as a result, malicious hackers are likely to try similar substitutions. If your password is difficult to guess in other respects, alpha-numeric substitutions may be fine, but you should not assume that changing the letter "L" to the numeral "1" will make it harder to guess an otherwise easy password.

Frequent Changes

The final aspect of a safe password is that it changes on a regular basis. The minimum recommended period between changing your password is 90 days, or three months. ShopSite will regularly remind you to change your password. When you do, you should avoid re-using a password you have used before, or a password very similar to one you have used; changing a "1" to a "2" is unlikely to be enough of a change to keep your new password from being guessed.

Minimum Requirements

The following are the minimum requirements for a secure password, as defined in the PCI specification:

• Do not use group, shared, or generic accounts/passwords
• Change user passwords at least every 90 days
• Require a minimum password length of at least seven characters
• Use passwords containing both numeric and alphabetic characters
• Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used

With regards to access management, Administrators should also be aware of these additional requirements, as defined in the PCI specification:

• Users are to be locked out after six invalid login attempts
• The lockout duration must be a minimum of 30 minutes
• The access session must timeout after 15 minutes of idle time

See the Visa CISP Information Page for detailed information on PCI requirements.

ShopSite Help and Resource Center Last updated: March 01, 2010 Give Feedback

ShopSite Shopping Cart Software