How to Manage Password in Magento?

  • Posted by Envision Ecommerce
  • /
  • June 2, 2017

Password management is one of the important components of your Magento stores. But, most Magento store owners are unaware of that, “Breadth of control can be exercised within the Magento store regarding admin access passwords”. That’s why, in this post, we have shared some of those settings that help you manage passwords in your Magento store easily.

Magento 1 and Magento 2

The latest versions of both Magento 1.x and Magento 2.x will give you a facility to manage a variety of admin passwords’ settings.

How to Manage Admin Password Settings in Magento 1?

Go to System > Configuration > Admin and expand the Security section:

From this particular area, you will able to identify whether the login is Case Sensitive. As, a setting can help enrich your Magento store login security. If you set this to “Yes”, your password of “ApPle34exiT!”, will not work when you entered like the following: “apple34exit!”.

It can also allow you identify a Secrete Key that can be added to URLs, to prevent cross-site request forgery without slowing down the store performance. By default, this is set to “Yes”, and it is highly recommended that let it remain set to “Yes”.

There are 2 more settings, i.e. Enabling and Disabling frames, which allow you to run your Magento Backend or Front-end in the frame. These options are presented to help prevent “clickjacking”, a malicious practice of concealing hyperlinks beneath legitimate clickable content, and causing users to perform actions of which they are unaware.

By default, it is Enabled! But it also gives the ability to Enable and Disable the Admin Routing Capability Mode for extensions.

Note: See below the difference between password settings available in Magento 1.x Community Edition and Magento 1.x Enterprise Edition.

The additional password settings’ options available in Enterprise Edition, but not available in Community Edition.

Enterprise

How to Manage Admin Password Settings in Magento 2?

Go to Stores > Configuration > Admin and expand the Security section:

magento-2-admin-password

Like Magento 1.x version, Magento 2.x version also offers the same options along with several new features, which were only included in Magento 1.x Enterprise Edition are now included in Magento 2.x Community version.

The first addition in the Magento 2.x version is a new Admin Account Sharing option. If you set it as “Yes”, then you can log-in from multiple systems into the same account. By default, the setting of “No” enhances security.

How to Manage Password Reset Requests?

You can manage the password reset requests by using any of the four following options:

1) By IP and Email – In this option, you can reset passwords online after getting a response from a reset notification, which sent to the email address associated with the Admin account.

2) By IP – With this option, you can reset passwords online without additional confirmation.

3) By Email – In this, you can reset passwords only by responding to an email notification, which sent to the email address associated with the Admin account.

4) None – This option gives you a facility to reset passwords only by the store administrator.

Other options include the ability to specify Recovery Link Expiration Periods (in hours), the Maximum Number of Password Reset Requests, the Minimum Time Between Password Reset Requests, the Maximum Login Failures to Lockout Account, the Lockout Time, and the Password Lifetime (in days).

Passwords and Payment Card Industry (PCI) Compliance

It is highly important to consider payment card industry while configuring your system’s settings for password management. Password compliance requirements are stated in Requirement 8 of PCI DSS standards.

  • • Passwords should have a minimum seven characters, which contain both alphabetic and numeric characters
  • • Passwords should be changed every 90 days
  • • When you changed the Passwords, make sure never set the same as one of the four previous passwords
  • • First-time Passwords for new users, and reset passwords for existing users, both should be set differently for each user and changed after first use
  • • User accounts can be temporarily locked-out after six invalid access attempts
  • • Once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account
  • • System/session idle time out features have been set to 15 minutes or less

Source: http://pcipolicyportal.com/blog/pci-compliance-password-requirements-best-practices-know/

Summary

Magento gives you a number of flexibility in managing access to your Magento store to keep it remains safe and less susceptible to compromise. So start making use of Magento’s available password management features today to protect your Magento store.

Though, if you find difficult or need more clarity regarding this “How to” or would like to add some suggestions to this solution, do drop a comment below or query at [email protected]. Our certified Magento team will give you a positive solution to all your Magento related queries with positive ROI!