08/06/2013

Logins and Passwords and Tools, Oh My!

How do you rank on password security? Here’s Gizmodo’s list of the most common passwords of 2012. (Most common means least secure.) If your DOLLARS ON THE NET® password is on this list, change it today!

1. password 5. qwerty 9. 111111
2. 123456 6. monkey 10. baseball
3. 12345678 7. letmein 11. iloveyou
4. abc123 8. dragon 12. trustno1

Because we care about your security and we understand the value of passwords, we provide DOLLARS ON THE NET account administrators with specific control over password rules for their environment.

On the Account Security page within DOLLARS ON THE NET, administrators can configure several options related to passwords and login credentials. To ensure your account is as secure as possible, we’re giving you an overview of what each option does. Below is a description of each option you will find on the Account Security page:

Minimum Password Length: How many characters (letters/numbers) should be included? The shorter the password, the easier it is to figure out, but if it gets too long, people may forget it or mistype it.

Password Composition Requirements: You, as the account administrator, can choose any combination of the following options to be required in your employees’ new passwords:

• Alpha (the password must have at least one letter)
• Upper and lower case (at least one capital letter required)
• Numeric (at least one number required)
• Punctuation (password must include a special character such as “@” or “&”)

Require Password Change: How often do you want to force users to change their passwords? And how many new passwords must be used before you can start recycling old passwords? Remember that while changing passwords from time to time decreases the chance of them being compromised, doing it too often can actually create more headaches than benefits. When employees have to change their password too many times they may start forgetting them and could even resort to writing their password down and keeping it near their terminal – a big safety risk.

Lockout Users After: This setting lets you choose how many chances your employees have to correctly enter their password. “Non-visual attempts” are simple retries, while visual login attempts require users to complete a CAPTCHA-like field (those images where you have to type in the letters you see on the screen) before trying again. Once the employee has used up all of their non-visual and visual login attempts, they will have one chance to reset their password by answering their security questions. If that fails, they will be locked out of the system for a set period of time.

Lockout Duration: When an employee is locked out (based on the parameters you set in the previous option), how long do you want them to have to wait before they can try to log in again? This feature is designed to stop people (or computers) from randomly guessing your password by typing different possibilities over and over. If they only get a few chances and then have to wait half an hour, they’ll quickly give up on this method.

Require User Email Address: This one is pretty simple. When setting up a new account, do you want to link the user’s account to their email address?

Auto Disable Stale Users: Disabling stale users (users that haven’t logged in for a certain amount of time) is a simple way of keeping former employees from coming back and trying to log on to your account to cause trouble. If they haven’t worked a shift in a week or two, this feature will automatically disable their account until you have time to go in and delete it. If they’ve just gone on vacation, you can always log in to your administrator account and enable their account again manually when they return.

Enforce Scheduled User Work Shifts: Do your employees have set schedules? This option ensures that users can only access DOLLARS ON THE NET during the time they are scheduled to be at work.
As you review these options you will notice the compliance checkboxes next to each choice. You can learn more about these boxes in our Security Your Way article from last April.

While we’re on the subject of passwords, there’s one more thing you should know and that’s how to reset your password if you have forgotten it. If you are a DOLLARS ON THE NET user (not an administrator) you can ask your account administrator to reset your password and allow you access. If the account administrator forgets his or her password, only Shift4 can reset it. That process can be started by visiting our Password Reset page.

One more point to remember on logins: It is a best practice and a PCI requirements to assign each user a unique user account. This means shared accounts like “cashier” or “front desk” where multiple users can login using the same password are a security risk and a liability as they will cause you to be found non-compliant.

If you need assistance with passwords or have questions about any of these options, please email support@shift4.com or call us at 702.597.2480 (option 2).