Publishers of technology books, eBooks, and videos for creative people

Home > Blogs > Maintaining Secure Passwords: Five Critical E-Commerce Security Tips in Five Days

Maintaining Secure Passwords: Five Critical E-Commerce Security Tips in Five Days

Many factors go into the security of a Web site, particularly an e-commerce one. While creating a secure Web application in the first place is a key component, there's an easy way to improve the security of a site over time: by maintaining secure passwords. In this post, I'll explain what this means.

Unless a system uses retinal or fingerprint scans, its security is largely, if not entirely, impacted by the passwords in use. Anyone with even a modest amount of computer knowledge has a sense of what a "secure" password is:

  • A combination of uppercase and lowercase letters
  • At least one number
  • Preferably at least one symbol
  • Longer is better than shorter
  • Not equivalent to a dictionary word
  • Not personally significant to you
  • Not written down anywhere

Of course, this last rule is completely impossible if you do a good job of following the other rules!

On your own computer, or when you register at Web sites, abiding by these rules is for the best. On a hosted Web site, these rules become even more important, but why? There are three reasons...

First, a Web site is, by definition, available to any user in the world. Conversely, your computer may never be directly available over a network (although it's more likely to be physically accessible). Second, whereas your computer's user names may be guessable, they aren't typically known or common. A Web server normally has several default users, such as root, nobody, mysql, etc., that any hacker will already know to try using. And third, if the site itself performs e-commerce, it likely stores some information about its customers, meaning that a potential security break would affect not just you, but also your clients. In short, a hosted site and an online server has greater opportunity for security breaches and much more serious consequences.

Hopefully in this context, you can better see the need for more secure passwords. What you should also do, besides creating ultra-secure passwords in the first place, is change your passwords regularly. This, I believe, is a regular lapse of many sites and servers. Get in the habit of changing your site's passwords on a regular basis. Whether that means every month or every six months: just do it! And make sure you do it for all of the passwords your site or server uses:

  • FTP access
  • SSH access
  • Password-protected directories
  • Site administrator logins
  • MySQL (or other database) connections

If you've tied the site into a payment system, you should definitely change those passwords frequently, too. Many payment systems recommend as much, although I doubt enough people do so.

The biggest risk to site and server security is complacency: thinking that what was fine yesterday will be safe today. Security is a matter of vigilance, and one of the easiest ways to stay safe is to regularly change your site's and server's passwords.