Security: Password Management

Never use the same password twice!

As you’re setting up your WooCommerce store, you’ll have a username and password for plenty of websites!

  • WPEngine
  • Your store admin panel
  • CloudFlare
  • GoDaddy
  • Google
  • Stripe
  • PayPal
  • ZenDesk

Between these accounts, a compromised password gives an attacker access to your store, your customers, your email, your finances, so you can’t use “dogname2016” as your password for everything.

During the life of your WooCommerce store, you’re going to need to share access with other people too. Outside plugin developers, support staff, that new person in the warehouse. It’s important that your passwords are long, impossible to remember, easy to share/revoke access, and easy to change.

Using a password manager

There’s a few good password managers¬†around, and it’s important that you use one of them. We use and recommend LastPass, which costs $1USD/month. They work by encrypting your passwords for everything underneath one master password.

Once you’re signed in to your password manager, it’ll automatically fill known websites with your username and password for easy sign in.

Password managers allow you to login without even knowing your credentials.

If you sign up to a new website, the password manager will offer up a secure password and save the credentials for future sign-ins.

With LastPass, you can also add users to your account who can sign in with passwords you share without actually seeing the password (ideal for sharing with your staff, for example).

LastPass also offers 2-Factor-Authentication. This means you have to sign in with a password and a 6 digit token from your phone, so even if your password is compromised, an attacker still needs your mobile phone. You should definitely use 2 Factor Authentication!

Sharing my credentials

How do you go about sharing your credentials with other people, for example a developer or support person?

  1. If possible, don’t. If you share your PayPal password and then get ripped off, nobody will be interested in hearing about it!
  2. Add them as a user to your account, if possible (e.g. Your store admin panel, WPEngine, Stripe, ZenDesk)
    Some websites allow you to add extra users to your account, and assign them certain permissions. If possible, every person should sign in with their own credentials. This makes it easy to identify problematic users, and easy to revoke their permissions if they leave. Revoke permissions as soon as possible — if you’ve given a support person permission to access your account, delete their permission when they’re done.
    Perfect password management -- user by user access control.
  3. Change the password, allow them to make their changes, change the password again.
    We often ask clients to do this if we’re helping them with something tricky like fetching API keys or changing developer settings. It requires a great deal of trust up-front, and isn’t for everybody.

Keeping your email secure

More than any of your other accounts, your email address is the skeleton key to all your other accounts.

If an attacker gets your email password, they’ll have access to all of your other accounts (through password resets).

Reset Password dialogs are how an attacker can access all your accounts.

With that in mind, use 2 Factor Authentication on your email account, and use a tool like LastPass to have an extra long password on your email.

Leave a Reply

Your email address will not be published. Required fields are marked *