Password Requirements

Table of Contents Show

PCI Compliance and Practices

The password policy configuration page gives you total control over password and account policies.  AbleCommerce uses two types of password policies, one for the merchant and the other for the customer.  Each policy can be modified accordingly.  

You can use the built-in controls to change the minimum password length, number of login failures before account lockout, and much more.

Before making changes, you should follow the recommendations in the PCI Implementation Guide to ensure that AbleCommerce is configured as securely as possible, in a PCI compliant manner. To comply with the latest standards, merchants shall enable the multi-factor authentication feature.

For more information, please go to PCI Certification and Implementation Questions in the community forums.  There, you will find a link to the PCI guide, and a place to discuss any questions you might have about securing your online store.

Change the Merchant Password Policy

The default settings, after a new installation, meet the requirements for PCI compliance. By reducing the security of these settings, the application will not meet the minimum standards set by the payment card industry.

  1. From the menu, go to the Configure > Security > Passwords page.

  2. Find the Merchant Policy section as shown in the example below.

  3. Enter the minimum length required for a password in the Minimum Password Length field. The default value is "7" characters.

  4. Check or uncheck the box for each of the Required Password Elements you will require for new passwords.  Use at least one of Uppercase, Lowercase, Numbers, Symbols, and Non-letter elements.  When a user creates a new password, they will be required to use at least one character for each of the password element groups checked.  The more elements you have checked, the stronger the password must be.  For an administrative role, we recommend using strong passwords.

  5. The Maximum Password Age is how long (in days) your password can be used.  When this time expires, you must create a new password. The default value is "30" days.

  6. The Password History determines how long your old passwords will be stored.  The minimum number of days (10 is default) or the minimum number of passwords (4 is default).  Passwords cannot be reused while they remain in the password history.

  7. The number of times that a login can be attempted before the account is locked out can be changed in the Maximum Login Failures field. The default value is 6 times.

  8. The Lockout Period is the number of minutes an account will be locked after the maximum number of failed login attempts is reached. The default value is 30 minutes before retry.

  9. The number of months a merchant or administrator account can go unused before it will be deactivated is the Inactivity Period. The default value is 3 months before an admin account is deactivated. To re-enable the account, you can edit the user record and uncheck the box for disabled.

  10. Click the Save Settings button when finished.

Change the Customer Password Policy

Requirements for customer accounts and passwords are set by the payment card industry.  By reducing the security of these settings, the application will not meet the minimum standards set for PCI compliance.

  1. From the menu, go to the Configure > Security > Passwords page.

  2. In you will see the Customer Policy section as shown.

  3. Enter the minimum length required for a password in the Minimum Password Length field. The default value is "7" characters.

  4. Check or uncheck the box for each of the Required Password Elements you will require for new passwords.  Use at least one of Uppercase, Lowercase, Numbers, Symbols, and Non-letter elements.  When a user creates a new password, they will be required to use at least one character for each of the password element groups checked.  The more elements you have checked, the stronger the password must be.  For a customer role, we don't recommend making the password requirement too difficult.

  5. The Maximum Password Age is how long (in days) your password can be used.  When this time expires, you must create a new password.  A customer would not typically be required to change their password, so the default value is blank, for no requirement.

  6. The Password History determines how long your old passwords will be stored.  The minimum number of days or the minimum number of passwords.  Passwords cannot be reused while they remain in the password history. A customer would not typically be required to change their password, so the default value is blank, for no requirement.

  7. The number of times that a login can be attempted before the account is locked out can be changed in the Maximum Login Failures field. The default value is 6 times.

  8. The Lockout Period is the number of minutes an account will be locked after the maximum number of failed login attempts is reached. The default value is 30 minutes before retry.

  9. Click the Save Settings button when finished.

Password Compliance

In order to achieve PCI compliance, AbleCommerce has features that you must be aware of in regards to user accounts:

  • User passwords are stored in a one-way SHA2 hash. Passwords cannot be decrypted or recovered, they can only be reset.

  • All accounts, including the admin accounts, can become locked out due to too many login attempts or disabled due to inactivity.  

Additionally, you are advised to use strong passwords for all other systems and applications, including, but not limited to your database passwords and your payment gateway merchant accounts. This also applies to accounts that are not regularly used, such as the default ”sa” super-user account within your SQL Server database. Default accounts that are not in use should also be disabled whenever possible.

If you have forgotten your password, use the Forgot Password link from the login page. An email will be sent with instructions on how to reset a password.

User Authentication Settings

As a secondary measure to ensure a user is verified for access, a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) feature can be implemented for customer and merchant accounts.

  1. From the menu, go to the Configure > Security > Passwords page.

  2. You will see the User Authentication Settings section as shown.

  3. To enable CAPTCHA for all non-administrative users on the login form, check the box Enable CAPTCHA for customers. By default, this is not turned on for customers, but it is recommended to ensure that the login is being performed by a human.

    NOTE: When this option is enabled, the CAPTCHA will appear on the retail /Login page, Contact Form, Product Review and Edit forms (if enabled), and the Edit Billing Address form if the user is not already signed in.

  4. The secure CAPTCHA system should be turned on for administrator accounts. To comply with PCI requirements,  make sure the box Enable CAPTCHA for administrators is checked.  By default, this is not enabled for customers.

    NOTE: When this option is enabled, the CAPTCHA will appear on the /admin/Login page only.

  5. To enable the multi-factor authentication (MFA) service, you will need to have each administrative user install the Google Authenticator app on his or her smart phone or mobile device. The app is available from play.google.com and it will be required to comply with PCI requirements if you accept credit cards through the storefront.

    1. Make certain the email system is enabled and functioning before continuing.

    2. Each admin user must download and install the Google 'Authenticator' app to a personal mobile device.

    3. From the User Authentication Settings section (shown above), check the box to Enable multi-factor authentication service.

    4. Once enabled, all admin users must login through the Merchant Login page. It will not be possible for an administrator to use the customer-facing storefront login form when MFA is active. Go to the admin login page directly to continue.

    5. First time users will see a link "Setup Google Authenticator" from the Merchant Login page. Click this to begin setup.

    6. Enter an email address for a valid admin user account. This shall belong to a single user. Sharing of accounts is prohibited.

    7. Click the Send Email with Code button. This will send an email to the user which contains an embedded barcode image.

    8. Google authenticator app offers two ways to input the code: scan the image by pointing the phone at the barcode image, or manually enter the key code which is also available within the contents of the email message.

    9. The admin user should now see a 6-digit code that is continuously updating within the app. This code will be used in conjunction with the Admin user's login credentials.

    10. Click the Return to Login button to complete the setup. The merchant admin login form will have a field for Authentication Code. To successfully login, the user must enter the active 6-digit code into the form provided.

  6. Click the SAVE CHANGES button when finished.

CAPTCHA Services

CAPTCHA is a type of challenge-response test used in computing to determine whether or not the user is human. There are three CAPTCHA services available:

  • The standard CAPTCHA option will display a 6-digit verification number embedded within an image. The user is required to enter the number from the image into the form field provided. This option requires no additional configuration.

  • Google reCAPTCHA services:

    • Score based (v3) - verifies requests with a score and gives you the ability to take action. For v3, Google returns a score for each request without user friction and provides you more flexibility and control.

    • Challenge (v2) - verifies if an interaction is legitimate with the "I am not a robot" checkbox and invisible reCAPTCHA badge challenges.

NOTE: With a new installation, AbleCommerce provides test keys for Google's reCAPTCHA service. You will need to obtain your own keys by registering or sign in at the following link https://www.google.com/recaptcha/admin#list and obtain Site and Secret keys.

From the menu, go to go to the Configure > Security > Passwords page.

Find the CAPTCHA Services section as shown.

Using standard image CAPTCHA

  1. Select the option "Use standard image CAPTCHA" from the CAPTCHA Services section.

  2. Click the SAVE CHANGES button when finished.

  3. This CAPTCHA service does not require any additional configuration. The user will see an image during the login process. The verification number within the image will need to be correctly typed into the field provided.

Google reCAPTCHA Services v2 (challenge) or v3 (score based)

  1. Select the either of "Use Google reCAPTCHA service (v2) challenge" from the CAPTCHA Services section.

  2. A link to register or sign in to Google is available in the opening text. Reference screenshot above.

  3. Go to https://www.google.com/recaptcha/admin#list and obtain your own Site Key and Secret Key depending on the version you wish to implement. An example screenshot is shown below for reference. Note the selection for reCAPTCHA type. Make sure to select the appropriate version to match the AbleCommerce setting.

  4. After entering your domain name into the form, you can generate the keys.

  5. Enter this information into the fields shown.
    For v2, there are two display options that allow you to change the size or color (Theme) of the CAPTCHA image.

  6. For reCAPTCHA v3, a Score based field with a default value of 0.5 is used.


    If desired, adjust the score threshold using values between 0 and 1.0, where 1.0 is very likely a good interaction, and 0.0 is very likely a bot.

  7. When finished, click the Save Settings button. The screenshot below shows a portion of the login page using Google's reCAPTCHA (v2) service with a set of test keys. Be sure to use your own keys to remove the red warning text.


    If you are using Google reCAPTCHA (v3), the pages with CAPTCHA enabled will display this instead:


    It appears in the lower-left corner of the page.

  8. Make sure that CAPTCHA services are enabled. You can turn this feature on for customers and/or administrators. Please refer back to the User Authentication Settings above.