Let’s be honest, few users bother with password security believing that “user123” is strong enough. The point is that if anything happens, they will most likely blame the store owner. So, how to protect your clients, when they do nothing for it? Here is the list of tips that may help you.
Make it longer - make it safer
A basic rule of passwords creation that is always left forgotten. “Thanks” to special algorithms, hackers may get almost all the possible 4-characters combinations. Passwords of even fewer characters don’t exist at all.
Image 1. Facebook allows passwords of no less than 6 symbols.
The point here is simple - the more characters a password has, the harder it becomes for a hacker to crack it. Most resources allow passwords of no less than 6 symbols, but you can set the minimum length of as many characters as you wish. The longer - the better.
Suggest them to change a default password
In order to save client’s time, some resources require only an email for registration, giving new users ready-made passwords. Though these websites strongly advise customers to change it later, not everyone actually does it. Such behavior may endanger the whole account security and make users’ private information be stolen.
Image 2. A website defaultpassword.com shows a lot of existed standard passwords. Can you find yours?
How to deal with it? You may softly, but constantly remind your users of password change by email. You may set a huge pop-up on their second or third visit, recommending them to add a new password. Or you may use your own solution. The main point here is to inspire clients to change their passwords.
Set the password rules for their own safety
Not only length plays important role in providing security. The right pickup of symbols will make a password harder to be stolen. In other words, if your password contains not only small letters, it will be way safer.
The list of how to vary a password is quite large. For example you can use:
- Upper- and lower-case symbols
- Special symbols like dots and hyphens
- Spaces and so on
Add specific password rules on a sign up step and your users can do nothing, but create a strong password. Even one specific character will make it harder for a hacker to generate the password. A number of them are capable of making it almost unguessable.
Think about password updates
Another action you can take for providing more security is setting a Password Lifetime. This feature will make your clients’ passwords expired after a certain period of time. In such a manner they will have to update it and thus make the password guess less likely.
To make this process automatic, you can use various software tools or extensions for your CMS. For example, our Security Suite for Magento 2, apart from general security improvements, allows for easy Password Lifetime denoting. It may depend on not only the time period in days. You can also set the password change after a number of successful logins. There are options to choose from.
Show users how complicated their passwords are
A visual indicator will show users how secure a password is much better than lists and tips. Add a colorful scale that displays the level of passwords reliability (from the red Weak to the green Strong) and furnish it with short recommendations on how to improve it.
Image 3. No need to explain everything, like passwordmeter.com does - a simple indicator as in the field “Score” will be enough.
Thus your clients will be able to see whether their password meets your security requirements and what can be done to make it better. Moreover, a motley indicator offers scope for your designer’s imagination. Why not to make your website look better in addition to security improvement?
Add a password blacklist
Users may be so lazy that they may use the simplest symbols combination possible. Since this point of view is quite widespread, statisticians have made a list with the most frequent passwords like such ideas as “user1234” and “password”.
Image 4. Worst passwords according to SplashData
Passwords from these list are ones of the first to be used in hackers’ algorithms. You can protect users from such an easy account loss by simply adding a notification telling that this password is a usual one and it will be stolen quite probably. Keeping this in minds, new users will more likely create something complex.
Password and Login are separate things
Some users even surpass themselves and put in their password the full login or a part of it. As login is the information not very kept secret by users, hackers may not spend an effort on cracking this password.
Image 5. A bad example of an easy-to-guess password.
Don’t let your users fall victim to such laziness - show them a notice that this kind of passwords is not allowed and they should enter another one. Don’t leave hackers a chance.
Keep them far off
Having put a number of different symbols within a bunch is not enough to make an account inaccessible. If these characters are located next to each other, like in “123qweasd”, a hacker may not need an algorithm - he may find the password with simple behavior prediction.
It’s no go. Tell your clients that their password is lack of diversity if the symbols are next to each other. A small reminder is enough, but if to take it seriously, it is better not to allows such passwords at all.
Add integration with social networks
It may sound like an odd advice, but integration with social networks may even improve passwords security. The point is that on Facebook and Twitter people keep quite personal information, so a lot of them tend to create more complex passwords for it. Use it and allow your users to login on your website the way they used to.
Remember about privacy
There is another thing about passwords storage - not all users want their browsers to keep the inputted passwords. Or they have just visited your website with another person’s device. On both accounts they expect to be automatically logged out with no password storage.
For this purpose, add the function “Don’t Remember Me”, which automatically logs a client out and doesn’t allow a browser to keep the password. A useful feature, when a client uses a shared device. Moreover, there is no better way to forget a password than using the function “Remember the password”. Train your users’ memory and improve general security with one simple feature.
A social network VK has it. Why not to have the same feature?
Remember about your own security
Actually, there will be little benefits from improving your clients password security if you don’t pay enough attention to your own. All the rules mentioned above are applicable to your password as well, so think about security improvements for your own part.
Set a long and complicated passwords with lots of lower- and upper-case symbols, and your admin panel will be much more difficult to hack. If you are not sure about whether your new password is strong enough, use a special tool for it, like the website https://howsecureismypassword.net. The name is quite self-explanatory. And don’t keep your password written anywhere, like on a post-it note on a screen! A fleet glance of a passing by person will be enough to ruin your store.
Though you can’t get into your customers’ head and make them create a stronger password, you can do your best on recommending them how to do so. One way or another they will contribute to their own security and won’t easily devote their personal information to hackers.