Magento Password Management
Managing passwords is an important component to managing your Magento store. What many people don't realize is that breadth of control that can be exercised regarding admin access passwords within your Magento store. In this post I will explore some of those settings.
Magento 1 and Magento 2
The latest versions of both Magento 1.x and Magento 2.x allow you to manage a variety of settings related to admin passwords.
To manage your Admin password settings in Magento 1.x, go to System > Configuration > Admin and expand the Security section:
From this area you area able to specify whether the login is Case Sensitive, a setting that can help enhance login security. If you set this to "Yes", your password of "ApPle34exiT!", will not work when entered as "apple34exit!".
You can also specify that a Secrete Key be added to URLs, this prevents cross-site request forgery and doesn't impede performance. By default this is set to "Yes", and it is recommended that it remain set to "Yes".
There are also two settings that enabling and disabling frames. You can Allow Magento Backend or Frontend to run in frame. This option is present to help prevent "clickjacking", a malicious practice of concealing hyperlinks beneath legitimate clickable content, causing users to perform actions of which they are unaware.
There is also the ability to Enable and Disable the Admin routing capability mode for extensions. By default this is Enabled.
Finally, it must be noted that there exists differences between password settings available in Magento 1.x Community Edition and Magento 1.x Enterprise Edition. See below the additional password settings options available in EE that are not present in CE.
To manage your Admin password settings in Magento s.x, go to Stores > Configuration > Admin and expand the Security section:
Similar to the Magento 1.x version, the Magento 2.x version offers the same options with the addition of several new ones. Several features that were only included with Magento Enterprise on the 1.x version are now included with Community version in 2.x.
The first addition in the 2.x version is a new Admin Account Sharing option. If set to "Yes", you can log in from multiple computers into same account. The default setting of "No" improves security.
The Password Reset Protection Type allows you to specify how you want to manage password reset requests. There are four available options: 1) By IP and Email - passwords can be reset online after a response is received from a reset notification sent to the email address associated with the Admin account. 2) By IP - passwords can be reset online without additional confirmation. 3) By Email - passwords can be reset only by responding to an email notification that is sent to the email address associated with the Admin account. 4) None - passwords can be reset only by the store administrator.
Other options include the ability to specify Recovery Link Expiration Periods (in hours), the Maximum Number of Password Reset Requests, the Minimum Time Between Password Reset Requests, the Maximum Login Failures to Lockout Account, the Lockout Time, and the Password Lifetime (in days).
Passwords and Payment Card Industry (PCI) Compliance
When configuring your system password management settings, it is important to consider PCI requirements when specifying values. Password compliance requirements are stated in Requirement 8 of PCI DSS standards.
- Passwords should have a minimum length of seven characters AND contain both numeric and alphabetic characters
- Passwords should be changed every 90 days
- Passwords, when changed, can not be the same as one of the four previous passwords
- First-time Passwords for new users, and reset passwords for existing users, are set to a unique value for each user and changed after first use
- User accounts should be temporarily locked-out after not more than six invalid access attempts
- Once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account
- System/session idle time out features have been set to 15 minutes or less
Magento offers you a lot of flexibility in controlling access to your Magento admin, there are differences between available options in Magento 1.x CE and EE versions, but these difference have been eliminated in 2.x versions. There are also steps that should be taken to ensure your site remains safe and less susceptible to compromise, these include implementing PCI compliance guidelines.
Be sure you are making use of Magento's available password management features and that you have a good password policy in place to protect your Magento store.