Beta over protected?

[EZorb]

Since there has been many express their displeasure of having to change password every 90 days there may be another method to consider in getting around this.
As you know online banking has about the same requirements in addition to several dumb-a## questions which does become a pain after a while logging in. My bank got around this by using a security image. I have now had the same User ID and Password for years. What the bank did was have a third requirement. Along with User ID and Password you also have to select a thumbnail image out of many choices. These images are fairly simple as for example a picture of a cow. There would be many pictures of cows all different to some degree. If the word got out the image was a cow then which one, I think you get the picture.
Now when I log into the bank account using my User ID and Password several images are displayed and you have to click on the correct one to log in.

At the end of 90 days a page pops up having you to select a new image then you are good to go again without changing passwords (which you may if you choice to). This is much quicker and not a pain in the rear to do. If you have multiple stores use same image for all. This may not be a choice but if this procedure was submitted to the proper body they may allow an exception, somehow my bank got it approved.

But changing the password every 90 days is much safer and hopefully no one is dumb enough to save passwords and user ID in their web browser or have them written down and put in that secret place that everyone in office knows but doesn’t. That being said you should only use something like RoboForm with a password at least 25 characters (long enough you can’t remember) using a mixture of Upper case, Lower case, numbers, and special characters stored in RoboForm protected by a master password. Then let RoboForm generate a new password for you that you save and let RoboForm do the fill in when needed. That will take maybe 5 minutes every 90 day. The downside to RoboForm is if you forget the Master Password even RoboForm personal cannot retrieve it.

The real “beef ” here is called “Change” people just don’t like change which is normal. Most people live in what I call a grave with both ends kicked out. As long as it stays that way no problem. We can make slight adjustments like extending each end addition 10 feet, but you better not change the width or holy hell will be paid. So my suggestion is let’s give it a year and see how it works out realizing that changes will have to be made as time goes by. The software team is spending more time in this design than anyone of us will spend in time changing passwords over the next 10 years.

So Dr Byte and team keep up the good work and we will help by giving you our 2cents worth.
Larry

[rstevenson]

... The real “beef ” here is called “Change” people just don’t like change which is normal. Most people live in what I call a grave with both ends kicked out. As long as it stays that way no problem. We can make slight adjustments like extending each end addition 10 feet, but you better not change the width or holy hell will be paid.

Hi Larry,

It's one thing to express your own view. It's quite another thing to be so condescending towards others with different views. I don't mind change; I usually like it. But not when it's regressive and annoying. That's my view and I'm just as entitled to have it respected as are you and yours.

As for your suggestion to use a master password tool... all you've done is switched the memorable password that you don't need to change from Zen Cart to your local tool. That's an improvement?

Rob

[DrByte]

Since there has been many express their displeasure of having to change password every 90 days there may be another method to consider in getting around this.
As you know online banking has about the same requirements in addition to several dumb-a## questions which does become a pain after a while logging in. My bank got around this by using a security image. I have now had the same User ID and Password for years. What the bank did was have a third requirement. Along with User ID and Password you also have to select a thumbnail image out of many choices. These images are fairly simple as for example a picture of a cow. There would be many pictures of cows all different to some degree. If the word got out the image was a cow then which one, I think you get the picture.
Now when I log into the bank account using my User ID and Password several images are displayed and you have to click on the correct one to log in.

At the end of 90 days a page pops up having you to select a new image then you are good to go again without changing passwords (which you may if you choice to). This is much quicker and not a pain in the rear to do. If you have multiple stores use same image for all. This may not be a choice but if this procedure was submitted to the proper body they may allow an exception, somehow my bank got it approved.

That may be acceptable for your bank. But, until the PCI Security Council specifically adds that sort of method to their requirements, it will not be implemented as an alternative.

[dutchy]

I can't believe people are moaning at having to change their password every 90 days! lol

If it were me, I'd force a 30 day rule!
(which will no doubt be part of PCI eventually)

[kuroi]

If it were me, I'd force a 30 day rule!
(which will no doubt be part of PCI eventually)

... and even if it's not, some PA-DSS auditor will no doubt find some way to the interpret it into their scanning algorithm.

[DarkAngel]

I'm not really thrilled at having to redo my password every 90 days and I have some admins that do not go to the store admin---they stay clear in case they mess things up--- and they would need to change it all the time, speaking of which

I have installed this on a test site since the first one, changing files as they get changed and have had to redo the password with each update fix and that sure has not been every 90 days

so have not installed any mods yet

[pasi]

When it comes to hacking, I doubt things like 90 day password change interval will really do anything when the hacker exploits a hole in the code and gains full access to your database and files....

Just saying...................

[Taxcloud]

While I agree that the password change rules are a good thing it is certainly easy to change those rules if you don't like them. This would of course make your store non-compliant but that is up to you.

[pasi]

While I agree that the password change rules are a good thing it is certainly easy to change those rules if you don't like them. This would of course make your store non-compliant but that is up to you.

Yup ... I think it should be up to the shop keeper to decide.

And for me the 15 min logout period isn't long enough when adding products!

[kuroi]

Yup ... I think it should be up to the shop keeper to decide.

I agree, but only if you don't accept credit cards or debit cards.

If you do accept them, then the card companies are taking on some of the risk and are perfectly entitled to say under what conditions they're prepared to do so.

While I don't agree that their conditions are necessarily optimal, or even, in some cases, effective, that doesn't negate their right to set them.