Sana Admin and Webstore Accounts

WATCH THE VIDEO

Sana Admin accounts and webstore accounts of the customers are password-protected. Sana Commerce Cloud policy requires Sana Admin users and webstore customers to use strong passwords. It is critically important to have a secure and unique password. Moreover, Sana Commerce Cloud is protected against brute-force attacks.

Using security settings in Sana Admin, you can set up password security policy and force your users to use only strong and secure passwords.

You can set up the security settings separately for the Sana Admin user accounts and the Sana webstore customer accounts.

The password security policy determines how strong (resistant to guessing) user passwords must be.

To set up password policy, in Sana Admin click: Setup > Security > Login & Passwords.

Enter the minimum required password length and select the password strength score. The default values are:

  • Password length - 12

  • Password strength score - Good

When a user creates an account, an instant feedback is shown about the password strength.

Password strength is a numerically expressed measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability.

Different algorithms are used to verify password strength. The higher password strength score, the higher requirements to the password, and thus the more secure it will be. Sana accounts use a scale:

  • Okay: Protection from unthrottled online attacks.
  • Good: Moderate protection from offline slow-hash scenario.
  • Great: Strong protection from offline slow-hash scenario.

Throttled online attack: This scenario presumes an attack that goes against some website or online service that has your password and that website has a mechanism of authentication delay which slows down the attack.

Unthrottled online attack: This scenario presumes an attack that goes against some website or online service that has your password and that website does not have any mechanism to delay or limit the attempts to authenticate.

Offline attack against the slow hash: This scenario presumes that someone got an access to your password, which was not stored in plain text, but was hashed, and an attacker tries to break your password offline. Slow-hash means that amount of guesses an attacker can try per second is lower (around 10,000 guesses per second) than if fast-hashing was used (around one billion to one trillion guesses per second).

Password strength depends on different factors and is estimated based on:

  • commonly used passwords, like password, admin, etc.

  • names and surnames, like Mary, Peter, Smith, etc.

  • popular words and common patterns, for example from movies

  • dates, like 29062018

  • repeats, like aaaaaaaa, 1111111, etc.

  • sequences, like abcdefgh, 0123456789, 6789012345, etc.

  • keyboard patterns, like qwertyuiop, asdfghjkl, etc.

  • inverted words, for example, drwossap can be inverted to password

  • L33T (Leet) - replacing alphabet letters with numbers or symbols, like P@$$w0rd, @dmin, etc.

The examples above are very guessable, thus you should not use them.

Sana Commerce Cloud does not allow users to reuse old passwords both in Sana Admin and in the webstore. This way your customers’ login data is more secure. Users cannot use 10 previous created passwords. When users type in or submit an old password, they will see an error message that it is not allowed to use previously created passwords.

You can also show and hide the Remember me checkbox on the Sana Admin login page and the webstore login page. When users select the Remember me checkbox while logging in to the Sana webstore or Sana Admin, their login session will be extended to 30 days. This allows customers to access the webstore or Sana Admin without manually entering credentials for a certain period of time. However, if the customer switches to a different web browser or clears the browser history, this extended session will no longer apply. Sana Commerce Cloud does not store user credentials for security reasons, but instead extends the login session when the Remember me checkbox is selected.

Allow Password Unmasking

Besides, using the Allow password unmasking option, you can allow the Sana Admin user accounts and the Sana webstore customer accounts to see the password characters.

If this option is enabled, then a user can make all characters in the password field visible by clicking on the eye icon. In this way, users can check what they typed in until now and check whether the password is correct. To hide the characters, a user needs to click on the eye icon again.

Sana Admin Login Page with Visible Password Characters

Webstore Login Page with Hidden Password Characters

You can also change the eye icon using themes. In Sana Admin click: Design & Layout > Themes. On the Icons tab, in the Other icons section, use the Visibility on and Visibility off fields.

Request Password Update

There is no doubt that keeping your data safe and secure is of utmost importance. There are a number of ways how you can secure users’ accounts and asking them to change passwords regularly is one of them. Regular password change can lessen vulnerability to cyberattacks and loss of data privacy and security.

Sana Commerce Cloud gives a possibility to request Sana Admin users to change their passwords regularly. You can do this using the Request password update and Password update frequency (days) settings.

In case the Request password update option is enabled and the number of days is entered, for example 90 days, in the Password update frequency (days) field, then once a user logs in to Sana Admin, Sana will check when the user’s password was last updated. If the password was updated less than 90 days ago, then a user will log in to Sana Admin without changing the password. If the password was last updated more than 90 days ago, then users will see the Update password page, where they will have to enter the new password. Once the password is updated a user will be logged in.

If the Request password update option is disabled, Sana will never check the user's passwords and they will not be requested to update it.

Binding of a Session

Session binding is used to associate a user’s login session with specific data that uniquely identifies this session to provide an extra layer of security. This binding ensures that the session is tightly coupled with certain data that is difficult to forge or replicate, thereby enhancing security. The goal of session binding is to reduce the risk of user’s login session hijacking and unauthorized access. It can be enabled for Sana Admin and webstore accounts.