Passwords have long been the means of authentication measurement, especially in the E-commerce business. For Magento 2 store, it may seem that having password constraints in place is not a big deal. However, there are many points to consider when you configure password options in Magento 2.
For example, for returning users, overly strict password requirements can lead to an 18% abandonment rate according to a research study at “Cart and Checkout UX” at Baymard. On the contrary, according to Tracesecurity, 81% of hacking-related breaches leveraged either stolen and/or weak passwords!
Such statistics may confuse the admin as to what type of passwords must be allowed in the store and up to what level must the password constraints be configured?
Fortunately, Magento 2 offers a highly sorted configuration to set up password options. The admin can apply password constraints that create a balance between customer convenience and security using the below steps!
Note: The configuration is in accordance with the Magento 2.3.0 version.
Steps to Configure Password Options in Magento 2:
- Login to Admin panel
- Navigate to Stores > Configuration
- Under Customers, go to Customer Configuration
- Expand the “Password Options” section and configure each field as below:
- Password Reset Protection Type: Select the method to be used at the time of password reset request. For example, the password can be reset by admin only, after Email confirmation, or online without any confirmation, etc.
- Max Number of Password Reset Requests: Enter the number of passwords reset request allowed every hour.
- Min Time Between Password Reset Requests: Enter the minimum number of minutes delay required between two requests.
- Forgot Email Template: Select the email template for the Emails sent to the customers when they forget their passwords.
- Remind Email Template: Select the email template for the Emails sent to the customers with the hint to the password.
- Reset Password Template: Select the email template for the Emails sent to the customers for changing their password.
- Password Template Email Sender: Select the Email sender for all the password-related Emails.
- Recovery Link Expiration Period (hours): Enter the number of hours before the password recovery link expires. Improved security with a lesser number of hours!
- Enable Autocomplete on login/forgot password forms: Enable the option to autocomplete on login or forgot password forms. The default setting is disabled for this field for security purpose.
- Number of Required Character Classes: Enter the number of different classes that must be used in customer password during account signup based on these character classes: Lowercase, Uppercase, Numeric, and Special Characters
- Maximum Login Failures to Lockout Account: Enter the number of failed login attempts after which an admin account will be locked. To allow unlimited attempts, set the field value to 0.
- Minimum Password Length: Enter the number of characters that must be used in the password.
- Lockout Time (minutes): Enter the number of minutes an Admin account is locked after too many failed attempts to log in.
- Save Configuration
For the readers to check if your password is strong enough, you may use the tool “The Password Meter”
Please feel free to use the Comments section below to ask any doubts about the topic. I’d be happy to help!
Stay Secure 🛡️