Jump to content

v6 passwords for existing customers

Dirty Butter

By Dirty Butter
in Install & Upgrade Support

 Share

Recommended Posts

bsmither Mentor

bsmither

Posted
Posted

Without changing any code, instruct the customer (if feasible, or use the language editor to change the phrase) to use the "Forgot Password" feature.

 

That will give the customer a path to changing the password to accommodate this restriction (which I was not aware of).

Link to comment
Share on other sites
havenswift-hosting Contributor

havenswift-hosting

Posted
Posted

Hi Al

I completely disagree ! We should be trying to encourage users to use strong unique passwords on all sites they access by using simple and FREE tools like LastPass and by using enforcing 2 Factor Aurhentication. Even 6 characters is trivial for password cracking software to find (probably a few seconds or less). In this case, a better message for returning customers would help and six characters is better than none but removing it is a big backward step

Ian

Link to comment
Share on other sites
ayz1 Newbie

ayz1

Posted
Posted

Not good if an existing customer can't log in with their original password. Very frustrating from their point of view. I'm looking to upgrade a V3 store and this would put me off. We have too many customers in our database to be having to deal with this. Surely there is a way to allow exisiting customers to log in without having to reset their password? New customers can be encouraged to use a stronger password.

Link to comment
Share on other sites
Al Brookbanks Experienced

Al Brookbanks

Posted
Posted

This is one of those "can't win either way" ones. It only takes a minute to request a new password. It would be interesting to know how many customers has a password of less than 6 chars. 

 

Security vs Convenience


So would a compromise be to remove the enforcement and add a message saying that your password is weak and we strongly suggest changing it after login?


Not good if an existing customer can't log in with their original password. Very frustrating from their point of view. I'm looking to upgrade a V3 store and this would put me off. We have too many customers in our database to be having to deal with this. Surely there is a way to allow exisiting customers to log in without having to reset their password? New customers can be encouraged to use a stronger password.

 

 

I think you missed the point. They can of course login with their existing password if its 6 characters or more. Most websites enforce this as a minimal limit. Most customers use the same passwords on many sites. I think we are are guilty of this. For this reason this should only affect a small percentage. 


One thing to take into account here is that *if* your store required PCI accreditation this kind of security feature is required to pass acceptance! 


I think the best solution is to redirect them to the password reset page to update their password if it is weak after login.

Link to comment
Share on other sites
ayz1 Newbie

ayz1

Posted
Posted

Don't think I missed the point. If someone has a short password they should still be able to access their account in my opinion. Allowing them to log in and then deal with it in the way you suggest by directing them to the password reset page after they have logged in would be a better experience for the customer provided it is made clear why they are being asked to update their password.

Link to comment
Share on other sites
Al Brookbanks Experienced

Al Brookbanks

Posted
Posted

Don't think I missed the point. If someone has a short password they should still be able to access their account in my opinion. Allowing them to log in and then deal with it in the way you suggest by directing them to the password reset page after they have logged in would be a better experience for the customer provided it is made clear why they are being asked to update their password.

Sorry your response sounded like every login. 

 

So what's the solution?

 

1. Allow login and recommend password update? (low security)

2. Allow login and FORCE password update? (mid security)

3. Force password reset prior to login? (most security)

4. Just allow login as before. (least security)

 

.. and no I don't think there should be a setting for this. :P

Link to comment
Share on other sites
ayz1 Newbie

ayz1

Posted
Posted

2. Allow login and FORCE password update provided it is made clear why they are being asked to update their password.

 

Leaving it to the customer to request a new password can be an issue because it is sometimes confusing, especially for foreign speaking customers and sometimes they don't recieve the new password email.

 

I appreciate the percentage using a short password may be small but when there are a lot of registered customers there maybe be quite a few.

 

Just my opinion but I'm trying to look at it from the customers point of view.

Link to comment
Share on other sites
havenswift-hosting Contributor

havenswift-hosting

Posted
Posted

Hi

The point about PCI compliance is very valid and one that more people should be concerned about although in our experience a very large majority of CubeCart customers still dont undertake any PCI compliance.

Option 2 is an OK solution as long as they are forced to change the password to a longer (minimum of 8 characters should really be enforced) more secure (upper case, lower case, numerals and special characters and maybe include a password strength meter) one immediately after logging in and they are unable to do anything else until that step is completed.

Ian

Link to comment
Share on other sites
Dirty Butter Apprentice

Dirty Butter

Posted
  • Author
Posted

I think that Option 2 is better than expecting the Forgot Password process. After all, they have an ORDER sitting in the basket at this point. We need to make this as easy as possible, or that ORDER will be LOST.

 

Is there any way to tell from cpanel how many customers this actually applies to?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...