Password Policy
The password policy configuration page gives you total control over password and account policies. AbleCommerce uses two types of password policies, one for the merchant and the other for the customer. Each policy can be modified accordingly.
You can use the built-in controls to change the minimum password length, number of login failures before account lockout, and much more.
Before making changes, you should follow the recommendations in the PCI Implementation Guide to ensure that AbleCommerce is configured as securely as possible, in a PCI compliant manner.
For more information, please go to PCI Certification and Implementation Questions in the community forums. There, you will find a current link to the PCI guide, and a place to discuss any questions you might have about securing your online store.
Change the Merchant Password Policy
Requirements for merchant/administrator accounts and passwords.
-
From the top menu, go to the Configure > Security > Password Policy page.
-
In the left pane, you will see the Merchant Policy section as shown.
-
Enter the minimum length required for a password in the Minimum Password Length field.
-
Check or uncheck the box for each of the Required Password Elements you will require for new passwords. Use at least one of Uppercase, Lowercase, Numbers, Symbols, and Non-letter elements. When a user creates a new password, they will be required to use at least one character for each of the password element groups checked. The more elements you have checked, the stronger the password must be. For an administrative role, we recommend using strong passwords.
-
The Maximum Password Age is how long (in days) your password can be used. When this time expires, you must create a new password.
-
The Password History determines how long your old passwords will be stored. The minimum number of days or the minimum number of passwords. Passwords cannot be reused while they remain in the password history.
-
The number of times that a login can be attempted before the account is locked out can be changed in the Maximum Login Failures field.
-
The Lockout Period is the number of minutes an account will be locked after the maximum number of failed login attempts is reached.
-
The number of months a merchant or administrator account can go unused before it will be deactivated is the Inactivity Period.
-
Disable or Enable the secure CAPTCHA system by checking the box Use Captcha. We recommend that Captcha is always enabled for the merchant policy.
-
Click the SAVE CHANGES button when finished.
Change the Customer Password Policy
Requirements for customer accounts and passwords.
-
From the top menu, go to the Configure > Security > Password Policy page.
-
In the right pane, you will see the Customer Policy section as shown.
-
Enter the minimum length required for a password in the Minimum Password Length field.
-
Check or uncheck the box for each of the Required Password Elements you will require for new passwords. Use at least one of Uppercase, Lowercase, Numbers, Symbols, and Non-letter elements. When a user creates a new password, they will be required to use at least one character for each of the password element groups checked. The more elements you have checked, the stronger the password must be. For a customer role, we don't recommend making the password requirement difficult.
-
The Maximum Password Age is how long (in days) your password can be used. When this time expires, you must create a new password. A customer would not typically be required to change their password, so the default value is blank, for no requirement.
-
The Password History determines how long your old passwords will be stored. The minimum number of days or the minimum number of passwords. Passwords cannot be reused while they remain in the password history. A customer would not typically be required to change their password, so the default value is blank, for no requirement.
-
The number of times that a login can be attempted before the account is locked out can be changed in the Maximum Login Failures field.
-
The Lockout Period is the number of minutes an account will be locked after the maximum number of failed login attempts is reached.
-
Disable or Enable the secure CAPTCHA system by checking the box Use Captcha. By default, this is not enabled for customers.
-
Click the SAVE CHANGES button when finished.
Password Compliance
In order to achieve PABP compliance, AbleCommerce 7 has introduced some features that you must be aware of in regards to user accounts:
-
User passwords are stored in a one-way SHA1 hash. Passwords cannot be decrypted or recovered, they can only be reset.
-
All accounts, including the admin accounts, can become locked out due to too many login attempts or disabled due to inactivity.
Additionally, you are advised to use strong passwords for all other systems and applications, including, but not limited to your database passwords and your payment gateway merchant accounts. This also applies to accounts that are not regularly used, such as the default ”r;sa” super-user account within your SQL Server database. Default accounts that are not in use should also be disabled whenever possible.
Super Admin User Locked out
When you install AbleCommerce, you are creating a Super User for the program. There are certain features that only a Super User can access. Forgetting to save your username and password when you install AbleCommerce can happen. First, try to reset it using the Lost Password form. If you are still unable to access the installation because the email server is not configured, then you'll need to follow the instructions below.
-
Find this file "ResetAdmin.aspx" in the \install\ folder of your AC7 installation. Restore the \install\ folder if needed.
-
Open it, and modify two things as noted in the file:
//BY DEFAULT THIS SCRIPT IS DISABLED
//CHANGE THE LINE BELOW FROM FALSE TO TRUE TO USE THIS SCRIPT
bool enabled = false;
//THIS IS THE USER THAT WILL BE CREATED OR RESET
//YOU CAN UPDATE THEM IF YOU WANT TO USE SOMETHING OTHER THAN DEFAULT
string userName = "admin@ablecommerce.com";
string password = "password";
-
Enable the script by changing the bool enabled value to true.
-
Replace the default string values with your own email and password.
-
Save the file.
-
Open a browser and access the page.
e.g. http://www.mystore.com/install/ResetAdmin.aspx.aspx
-
Reset your password.
|