A lot has been written about password security, enough to fill more books than a sane person should read. As Zen Planner grows, we fall under more and tighter security standards from the credit card industry, called PCI-DSS. It’s critically important to maintain the security of the sensitive information you track in Zen Planner, but simply complying with standards doesn’t mean things are really secure.
As with everything else we do, we’ve tried to balance the best engineering available with simplicity and common sense for the real world. Here’s what you need to know about passwords in Zen Planner:
Database Owners (and staff with the Financial privilege) fall under special restrictions where we don’t have much leeway. The PCI-DSS standards require that you have a strong password made of lowercase letters, uppercase letters, and digits. We’ve reduced the number of required characters to 8 characters, with no maximum length. Passwords must expire every 90 days, and login sessions must expire after 15 minutes of idle time.
All other staff is allowed to have lower security restrictions. Because of this, we’ve expanded the session timeout from 20 minutes to 1 hour, and have extended the password expiration from 90 days to 1 year. These passwords will also have a minimum length of 8 characters, without any other restrictions. This should make it much easier for regular staff members to get their work done.
When resetting a password, a user will not be permitted to reuse their last 4 passwords.
A Simple Solution:
Database owner accounts fall under the tighter rules because they can view and update sensitive payment information -- even if that’s not what you’re regularly logging in to do. One simple solution to this is to make a second account for yourself that has all of the privileges except for database owner. At work, you can log in using the lower security account to do 90% of your tasks, and then just keep the password to the admin account safe at home for times when you need to log in to update your database setup.
More About Staying Safe Online
Modern technology opens up so many new ways to connect to one another, but we are not naturally wired to keep private information secure online.
Even using PCI-DSS rules, most people choose very bad passwords -- you can crack 90% of accounts using a dictionary of just 1,000 words. And even after years of education, the most common passwords in use are still words like “password” and “123456”. And, common shortcuts like “substitute letters for numbers” don’t help much either, because hackers know that “password” is the same as “p@ssword”, so they’ll guess that too.
In the end, most experts recommend that the best password is one that you don’t remember, which means using some kind of password database instead. The solution looks like this:
* Don’t reuse passwords. Every account should have its own unique password, so that when Gawker gets hacked again, you don’t suddenly lose access to your email and bank account.
* Choose real passwords. Not “password123” and not your dog’s name. The strongest passwords are randomly generated. Here’s what my passwords look like: “a4JJSDXRfGrMYGnLdIQ0xqXplkpgsIyD”
* Disable Flash and Java. Plugins like these are less useful today than they were in the past, and are consistently used by bad guys to break in to computers, including most of the recent high profile hacks.
* Use a password database. There are several great ones out there. We recommend 1Password, LastPass, Keepass, and PassswordSafe among others. With these tools, you just enter a single password to unlock your database, and then copy-and-paste the right password into each account you use. I use a password database for all of my accounts. Getting this set up can be a little tricky, but it has made things much easier for me to manage.
Every day, Zen Planner strives to balance human simplicity with the overwhelming complexity of today’s technology. It’s a difficult balance to achieve, and we rarely get it exactly right. We’re always listening to you for ways that we can make things better. But there are some rules we simply must follow, such as asking staff to reset their passwords in accordance to PCI requirements. Please keep on telling us what you need to run your business better, and we’ll keep on building the best fitness software in the world!