This series is focused on developing the best possible security for an ecommerce server. We seek to go beyond industry standards such as PCI compliance. Perhaps needless to say, PCI-DSS parameters are extremely stringent and thorough because the credit card companies (Visa, MasterCard, etc.) have developed them. However, the density of these rules disallows a simple, step-by-step action plan. We are looking at basic steps we can take to strengthen security.
Servers must be secure, sure: we all know that. Another form of security must be remembered at all times though: security of the self. When we feel that the centers of our souls are disintegrating into tiny little wisps of nothingness, when we fear that the integrity of our entire lives and structural makeups is separating from us and forming new relationships with outside entities (gradually removing us from Earth), we must take action. Below, we will finalize our comments on that subject as well.
Up to this point we have discussed the following subjects: choice of hosting service, development of a security plan, SSL certificates, website backups, vulnerability scan software, monitoring and updates, selection of payment gateway, and the general issue of balance. Today, we will focus specifically on passwords.
Improve Your E-commerce Security – passwords
Primarily I want to discuss how to choose a strong password. Using this information, you can make sure that you choose ones wisely for both business and personal use. Additionally, you can develop a password policy that will help to increase security across the board with all of your users (remembering the issue of balance discussed previously).
Before we talk about what kinds of passwords to choose, though, we should mention dynamism. In his article for IT Security Column, Preet Sandhu notes that regularly revising your passwords is essential. Note that ideally you want your customers to modify their passwords on a regular basis as well. Also, give your customers recommendations on how to choose the strongest passwords possible.
Recommendations are important not just for assisting customers but for assisting yourself. If you feel unsure of anything the you’re doing, make sure you have written down what you should do at that point. A self-recommendation notebook is extremely helpful for any situation. Here’s an example: You’re at a party, a person walks up to you whom you find incredibly attractive, and insecurity envelops you in a shroud of horror. Simply open your book. It should recommend, under the Parties > Pretty Person section, “Say, ‘I just inherited a yacht.’” Spit it out. It’s that simple.
Larry Ullman, in a piece for Peachpit, provides a basic list of parameters to develop strong passwords. Here are his seven basic requirements (which are echoed many other places online):
- Letters should be both uppercase and lowercase.
- Include numbers.
- Include symbols.
- Make it as long as you can.
- Try not to use words.
- Don’t use your personal identity (relative name, street name, etc.).
- Password shouldn’t be in hard copy anywhere.
Larry does mention that the final item becomes difficult to follow in the context of all the previous rules. If a password is strongly randomized, it will be difficult to crack by an intruder; but it will also be difficult to remember without writing it down. Again, do your best to strike a balance.
Striking a balance is crucial when finding a sense of security with oneself and one’s surroundings as well. Learning to love oneself is all about compromise. Never tell yourself you look fat in those jeans. Instead, say to yourself, “Do I look fat in these jeans?” Then answer, “Well… Yes and no.” By the way, that’s the same way you should reply when anyone asks you that question.
Why Passwords are Important – Especially for Ecommerce
Of course you want to go for compromise, but we also want to remember why we want our passwords to be a strong as we can possibly make them. Let’s look at that reasoning. Larry Ullman lists three aspects of hosted websites that make their passwords more significant than passwords you put into your home computer:
- Websites are accessible to everyone throughout the world who can get online. Your PC, on the other hand, may not be directly perceivable (especially if you are using a VPN).
- The user names you choose can potentially be difficult for a person to figure out on your PC. That’s not the case on a server for default accounts, such as administrator, root, nobody, or mysql. (Note that you can create decoy accounts to trick hackers from accessing those accounts, though.)
- An ecommerce site stores customer information, so a hacker can grab huge amounts of data – that of thousands of individuals – at one time.
Don’t ever let anyone grab your data, unless they pay for it and treat you right. The best way to show yourself you love yourself is by being the only one who regularly grabs your data. For data access, develop a secret handshake, and don’t let anyone know what it is. If you are the only one who knows your secret handshake, you’ll be the only one who will ever get into your data-pants to explore your intimate credentials.
As a final run-through, make sure that you have strong password policies. First, change your password on a regular basis. Second, follow the basic seven rules for creating strong passwords. Third, when striking a balance with passwords, remember how important they are to your server’s security.
That’s it for this series on ecommerce server security. As I previously mentioned, we recommend VPS or dedicated hosting for the utmost security. If your budget requires a shared hosting option, follow the guidelines we discussed above to keep your security as strong as possible.
By Kent Roberts