Prevent common passwords? #211
Comments
|
Thumbs up! You still would like to have "allow weak passwords" setting either globally or for admin users, as Wordpress does that (You must "click and accept" usage of weak password). This goes well with GDPR guidlines, because there are no excuses for weak data protection. Some reading: https://security.stackexchange.com/questions/116780/how-to-create-dictionary-to-prevent-weak-passwords |
|
Fantastic! Yes, I hate default complexity rules that force you to make a password you can't remember. What's more secure from a brute force angle:
or
But more my initial thought is just a text file that can get populated with various password dumps, so if someone tries to use it says "Sorry, you're trying to use a really common password" https://www.geeknoob.com/1000-most-common-passwords.html That's only one list, there's lists of like 1,000 and 10,000. Obviously, not any dictionary words... Of course, I only have US dictionary! It'll be a work in progress... We could set it to only be active if the environment is |
|
First thing: Client will drop like flies in the rain, if there will be password checker.
Second thing: Better option create passwords for them, send them to e-mail and let them buy products, as many one page checkout modules do. Stop thinking like developers in client side things, I agree, weak password are bad, but it's clients responsibility to protect his data, shop can make only simple checkups like, if it's same IP address, if not - send email with extra code (2-way auth, but with emails). |
It's not so simple. IF customer understand risks, then it's ok. But 99% of them are just users and will blame You for anything, as soon as there are possibility. I agree on simplicity - you should and must make purchase process as simple as possible, but You shouldn't ignore security risks. Data protection is not only developers concern. In Europe it's becoming even more regulated with GDPR. Yes, agree, it adds more bureaucracy then security, but GDPR introduces huge penalties for non-compliance. Anyway - data and password security is not only user concern. :) |
|
Point was, if we're not storing payment card information directly in the DB (which would be major issue here in the US), then the ramification of customer using a weak password isn't horrible. The biggest risk they face is re-using passwords between sites. We can't stop that. We're storing the password in the DB using a strong hash, so that's good too. How many more rules do you want... minimum password length? yes. Prevent stupid passwords? (we can do this, and I think we can ENFORCE it for the admin accounts). But, you tell me, in Europe, is there an obligation on the store owner/site operator to prevent the customer from choosing Here's the top 100 passwords from Ashley Maddison: Question is, how much friction is acceptable to put on customers? |
https://www.theregister.co.uk/2018/04/03/magento_brute_force_attack/
MY read of the article is that there weren't default passwords that were used, just that Admins used easy to guess passwords.
How would you feel about a library that adds rules for passwords (probably just on the admin side, you wouldn't want to make it too difficult for customers to make accounts, especially if you're using a 3rd party gateway for payments).
Simple rules like:
Password can't be the email address
Password can't be in a text file of predefined passwords for this, there's tons of lists of the most common passwords found in various database dumps...
The text was updated successfully, but these errors were encountered: