passwords expire after 90 days & after 15 minutes of inactivity, login again.

[cmike]

Hello,

I have two questions.

1)the admin login passwords expire after 90 days, I have to reset new password after every 90 days.
How to remove this rule ? I just want to use one password forever unless I want to change the password instead of the system request me to change the password every 90 days.

2)How to reset the duration a bit longer after I logged in to the admin page ?
The system always require me to login again after 15 minutes .

Rgds

[mc12345678]

Hello,

I have two questions.

1)the admin login passwords expire after 90 days, I have to reset new password after every 90 days.
How to remove this rule ? I just want to use one password forever unless I want to change the password instead of the system request me to change the password every 90 days.

2)How to reset the duration a bit longer after I logged in to the admin page ?
The system always require me to login again after 15 minutes .

Rgds

The first question to this is why do you want to remove the protections that are in place to reduce the likelihood of unauthorized access to the system, customer data, your product information (which if accessed could be changed and cause you a loss of income), etc... it comes down to not meeting at least one part of PCI compliance.

If the answer is some sort of development setup, then please keep in mind in the future that such information (reason) only helps those that provide an answer and to reduce the need for questions like above and also could help identify a better solution. Community based afterall. :)

[mc12345678]

The second question is what version of ZC are you using? (posting tips and hopefully had been presented with a dropdown when initially posting to identify the version to which the question pertained.)

[DrByte]

If you're using v155 then you can turn off these industry-standard security protections under Admin->Configuration->My Store

[soxophoneplayer]

If you're using v155 then you can turn off these industry-standard security protections under Admin->Configuration->My Store

Thanks for this. Didn't realize. I'd never use on live site but this is very very handy for working on test site.

[cmike]

The first question to this is why do you want to remove the protections that are in place to reduce the likelihood of unauthorized access to the system, customer data, your product information (which if accessed could be changed and cause you a loss of income), etc... it comes down to not meeting at least one part of PCI compliance.

If the answer is some sort of development setup, then please keep in mind in the future that such information (reason) only helps those that provide an answer and to reduce the need for questions like above and also could help identify a better solution. Community based afterall. :)

just feel that reset the password in every 90days is too fast . Maybe 365 days is better. How to change this duration ?

I have two website. One is 1.5.1 and the other one is 1.5.4 .
The 1.5.4 one is ok . I can type the number of seconds manually into the "Admin Session Time Out in Seconds" field.
but the 1.5.1 one is not ok . It's not allow me to type anything. there're only three option for user to choose 300 seconds, 600 seconds and 900 seconds. It says "Max allowed is 900 for PCI Compliance Reasons." too.

[mc12345678]

If you're using v155 then you can turn off these industry-standard security protections under Admin->Configuration->My Store

just feel that reset the password in every 90days is too fast . Maybe 365 days is better. How to change this duration ?

I have two website. One is 1.5.1 and the other one is 1.5.4 .
The 1.5.4 one is ok . I can type the number of seconds manually into the "Admin Session Time Out in Seconds" field.
but the 1.5.1 one is not ok . It's not allow me to type anything. there're only three option for user to choose 300 seconds, 600 seconds and 900 seconds. It says "Max allowed is 900 for PCI Compliance Reasons." too.

Likely to sound harsh. The reason to extend the time between password resets being that it seems or feels too often is weak. Outside activities like bots and people that desire to break into/access such financial systems don't stop. The fact that the default of 90 days is applied is a minimum requirement to maintain the standard industry security requirements. Ideally one would change that password even more frequently to further maintain that security of *your* business and the information of the customers that frequent your site. The process is not difficult and if you have full access to everything about your site you can easily restore access if/when you forget your password using the information in this FAQ about recovering/changing your password if forgotten.

I do believe that if you so desire to reduce these security requirements because security actions just seem too burdensome that there is sufficient information in this thread to determine what needs to be done to get these two sites to operate as desired.

[DrByte]

just feel that reset the password in every 90days is too fast . Maybe 365 days is better. How to change this duration ?

I have two website. One is 1.5.1 and the other one is 1.5.4 .
The 1.5.4 one is ok . I can type the number of seconds manually into the "Admin Session Time Out in Seconds" field.
but the 1.5.1 one is not ok . It's not allow me to type anything. there're only three option for user to choose 300 seconds, 600 seconds and 900 seconds. It says "Max allowed is 900 for PCI Compliance Reasons." too.

Understood.
The best way to get the same feature in your v151 store as in your v154 store is to upgrade ;)

[carlwhat]

The reason to extend the time between password resets being that it seems or feels too often is weak. Outside activities like bots and people that desire to break into/access such financial systems don't stop. The fact that the default of 90 days is applied is a minimum requirement to maintain the standard industry security requirements. Ideally one would change that password even more frequently to further maintain that security of *your* business and the information of the customers that frequent your site. The process is not difficult and if you have full access to everything about your site you can easily restore access if/when you forget your password using the information in this FAQ about recovering/changing your password if forgotten.

not to sound harsh, but i respectfully disagree. the frequent changing of passwords has been shown to not be effective in preventing break-ins. see:

https://goo.gl/isYtQl

with regards to PCI compliance, i am a HUGE fan of protecting card holder data. but not a fan of how they choose to enact it. i will stop there on PCI compliance.

2-factor authentication is far superior for protecting sensitive data. which frankly on the admin side, i think would not be too hard to implement.

on a related topic, i was recently doing some work on a WP site and the idea of changing the admin crossed my mind, and the WP community seemed to suggest it was a waste of time, as BOTs will find your admin no matter what you change it to. what about the idea of additionally protecting the admin side with a rule in the .htaccess file? just a random thought...

best.

[Design75]

not to sound harsh, but i respectfully disagree. the frequent changing of passwords has been shown to not be effective in preventing break-ins. see:

https://goo.gl/isYtQl

with regards to PCI compliance, i am a HUGE fan of protecting card holder data. but not a fan of how they choose to enact it. i will stop there on PCI compliance.

2-factor authentication is far superior for protecting sensitive data. which frankly on the admin side, i think would not be too hard to implement.

on a related topic, i was recently doing some work on a WP site and the idea of changing the admin crossed my mind, and the WP community seemed to suggest it was a waste of time, as BOTs will find your admin no matter what you change it to. what about the idea of additionally protecting the admin side with a rule in the .htaccess file? just a random thought...

best.

If I remember ok, 2-factor authentication on the admin side is planned for Zen Cart 1.6.0