Your admin panel is home to tons of sensitive information—not something you want to expose to attackers.
Unfortunately, if you have a lot of admin users, chances are at least some of them are picking insecure, easy to crack passwords. Insecure passwords are particularly vulnerable to brute force attacks, where attackers can guess hundreds of thousands of password combinations in an hour.
The good news is that increasing password length greatly increases the time required to crack passwords. Better than just knowing that fact is enforcing it, which, thanks to our most recent release, you can now do on your Magento store.
We’ve open sourced our Magento Admin Password Length Enforcer extension that allows you to customize the minimum required length of admin passwords. Check out the most recent version of the code off GitHub.
Installing the Magento Admin Password Length Enforcer
Always test new extensions in a development environment before you deploy them to a production server.
Update: The extension is on Magento Connect now, so you can install it there too!
- Download the release file
- Upload it to your base Magento install folder
- Run the following command (replacing X.X.X with your version number): tar zxf BranchLabs_AdminPasswordStrength-X.X.X.tgz
- Navigate to System > Configuration and look for the BranchLabs header in the menu to the right and select Admin Password Strength to set the new minimum password length.
- Get your admins to change their current passwords and enjoy your enhanced security!
Questions & Comments?
Have comments on the extension? Further questions about Magento best practices for security? Leave us a comment here, or get in touch with us directly and we’ll get back to you ASAP.