Password Complexity in ZenCart

I had a web designer tell me we should not give feedback to a customer that didn’t type in the right format for a password!!  Other words, don’t tell them that they need at lest one number, one upper case, one lower case and one non-character for a correct password format!  He was thinking of not telling a would be hacker what to type in!!

Makes one wounder if they really understand what they’re doing when designing web sites or care.   Also one reason so many sites get hacked and so many programs get cracked!

Think about it as a customer!  Here you are about to sign up for another site you really don’t need just to spend your hard earned money. You enter all your info then have to create a password. After entering your password, maybe one you use all the time, after all, how many passwords can you remember?  The site rejects you saying your user name or password is incorrect!!   Well which is it? You type it in again because you can’t see the password you typed for it shows this stupid star thingy *****.    Again it rejects and so do you… moving on to a site that doesn’t test your skills at typing.

Lest that’s what I and others do when we get no usable feedback. We assume you don’t really want us to buy!

Now lets look at it from the cracker eyes.. Why would I want to waste my time cracking your password when I already have your email address!  Most sites have a very week password reset system or human support system. After all, why crack it when they well send you a new one?

So.. if there is human support and I call in saying, Hay I messed up and deleted my old email address before resetting my user accounts with different shops! Can I get you to email the changed password to this address so I can recover my account?

If the support says.. sure I can do that for you.. I’m in..
If the support says.. sorry, I can’t do that, but I well deactivate your old account so you can create a new one. I lost, move on.

So, usable feedback.. what is that after all..

Did you know that there is very few reasons to masked your password as you typed!! That’s the stars ** you see! If a peeper is standing by looking, there more then likely looking at your fingers not the screen. The masking only make one think there safe and forget about the key loggers or finger reading cameras!

So what is a web designer to do… Stay on top and remember the old days and create  some new tricks or code…

Start with a good safe and tested password reset system first! Then set up a good password system that’s user friendly. Add a hide/unhide button on the password field and make unhidden the default. Add a password creator button so to give hints at good passwords or make it easy for them. If they can see what they are typing, don’t make them retype it. I tend to copy and paste so why do the confirmation fields at all..

Give feedback as they type, week, strong.. you can even give feedback when they entered the right set of one number, one upper case, one lower case and one non-character… Don’t be a fool, this is not going to tell a hacker anything other than the time it would take to brute force a password crack. Most well leave some well try.. There are other ways to take care of this type of attack and ZC has it in place already. Unless some fool removed it when designing your web template!

So, masked passwords, confirmation fields, no feedback is old school and maybe old code.

So on to password resets.. there’s basically three types in use. Rating from weakest to strongest. There are hacks to all three!

1) Enter email address and if matched, send a new password to that address.
This is like sending mail without a address, just kind of hopping it makes it to the intended receive and then hopping they change the password to something else.

2) Enter email address and if matched, email a link with token that when used well take the user to a page where they can change there password.
This is not bad, used more often now and works, but the user may leave to answer the email, could lose there shopping cart items, not to good for a shopping site.

3) Enter email address and if matched, open a reset page where the user can enter a new password. This has to be active from account creation and I’ve seen this done in different levels. The user has to answer 1 to 4 questions provided during account creation, if right, the password is changed.
The customer never leaves your site, shopping cart is maintained and shopper continues after resetting password.

In my use of password resets, number three is the best if you never answer the questions truthfully!! When doing questions, I pick something easy to remember and makes no sense to any of the questions..

In short, as a coder, if I make it easy for you to create a password using feedback and such, then maybe you wouldn’t need to reset it later on!

This is why on my shop page passwords are not hidden, feedback is there. I like you to use harden passwords, but I don’t enforce it yet. I’ve codded all three resets, but use number three.

On top of it all, I’m not holding you to an account for checking out!!

We never store payment information.  The only thing we have is your email, phone and address and well protect it the best we can.

This is my opinion and not putting down a follow coder!   Some folks are not keeping up with the times or set in there ways.  I’ve been coding long before the Internet was released and was frustrated with hml before  html and PHP was created.  I’m still looking ahead, not back, having fun with CSS4.

password feedback
password feedback
Account Creation
Account Creation
password reset
password reset

Leave a Reply