Shopify‘s password policies are weak on the customer-facing front of its website, says a report. In the recent research published by Specops, the requirement of Shopify is that passwords should have at least five characters and there shouldn’t be space in the beginning or at the end.
The researchers at Specops analysed one billion breached passwords and came to the conclusion that 99.7 percent adhere to Shopify’s requirements. Some of the examples of breached passwords that meet these requirements include- lunabelle, luckygurl, loveok, lovehate16, login666.
Shopify in Password
Shopify also doesn’t prohibit the use of the word ‘Shopify’ in the passwords, hence, researchers found 18 passwords with names such as shshopify, myshopify, shopify123, shopifyseoexpert and shopify. Though Shopify offers two-factor authentication (2FA), it is not required while creating an account on the platform. This simply means that the e-commerce giant doesn’t perform a compromised password check.
The research doesn’t suggest that the passwords of Shopify customers have been breached. It should be noted that multiple breached passwords follow Shopify’s minimum requirements, thus there’s a huge risk related to weak passwords.
Danger Of Weak Passwords
Hive Systems’ recent study underscores the risk of using weak passwords. As per Hive Systems’ infographic, no matter how complex it is, a five-character password can be instantly cracked by hackers. As shorter passwords can be cracked with brute force, organisations should insist on complex passwords with at least 12 characters. Even if you ignore the security threat related to shorter passwords, there prevails a potentially bigger problem-regulatory compliance.
Small and independent merchants on Shopify may be unaware of the regulatory requirements linked with doing so. Having said that, the payment card industry needs businesses accepting credit card payments to strictly comply with the Official PCI Security Standards.
Ignoring PCI requirements
One of the advantages of using Shopify is that merchants do not need to handle their own payment card gateways. The platform does the transaction processing on behalf of the customers. As a result, this payment outsourcing shields online store owners from several PCI regulations. For example, as per PCI standards, merchants need to protect stored cardholder data. However, when the payment processing is outsourced, the retailer will not be in possession of the credit card data of the customers. In such a case, the business owner can ignore the requirement to protect data as they are never in possession of that data.
Identifying and authenticating access to system components is one of the PCI requirements that might be more problematic. Though PCI doesn’t specifically insist on password length, the PCI DSS Quick Reference Guide: “Every user should have a strong password for authentication.” Hence, following the guidelines, e-commerce retailers would find it difficult to justify using five-character password.
What IT Departments Can do?
Passwords are vulnerable to attack as people use easy passwords which can be easily guessed or are already leaked. Reuse of passwords across multiple professional and personal platforms as other factors contribute to its inclusion in the breached lists. Though work-related services are not under the control of IT, the department can work on minimising the overall password burden. It can also employ tools like a single-sign-on solution or enterprise password manager. IT should block the use of known compromised passwords and encourage employees to use 2FA. They can also use password expiration as a tool to minimise password reuse problems.
Improving password security becomes more crucial if customer data is stored or processed on a particular network. Sixty percent of small companies shut down within six months of being hacked, states thehackernews.com quoting a 2019 study. Hence, to prevent any security incidents, protecting passwords becomes significant.
