Security Settings


Applies to: Sana Commerce 9.2.1 and higher

Sana Admin accounts and web store accounts of the customers are password-protected. Sana Commerce policy requires Sana Admin users and web store customers to use strong passwords. It is critically important to have a secure and unique password. Moreover, Sana is protected against the brute-force attacks.

Using Security settings in Sana Admin, you can set up password security policy and force your users to use only strong and secure passwords. The security settings are applied to Sana Admin user accounts and Sana web store customer accounts.

The password security policy determines how strong (resistant to guessing) user passwords must be.

To set up password policy, in Sana Admin click: Setup > Security.

Enter the minimum allowed password length and select the password strength score. The default values are:

  • Minimum allowed password length - 7
  • Minimum allowed password strength score - Good

When a user creates an account, an instant feedback is shown about the password strength.

Password strength is a numerically expressed measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability.

Different algorithms are used to verify password strength. The higher password strength score, the higher requirements to the password, and thus the more secure it will be. Sana accounts use a scale of 0 to 4:

0 - Very weak - risky password, such as a simple or commonly used word, or a set of identical characters (repeats).
1 - Weak - protection from throttled online attacks.
2 - So-so - protection from unthrottled online attacks.
3 - Good - moderate protection from offline slow-hash scenario.
4 - Great - strong protection from offline slow-hash scenario.

Throttled online attack - This scenario presumes an attack that goes against some website or online service that has your password and that website has a mechanism of authentication delay which slows down the attack.

Unthrottled online attack - This scenario presumes an attack that goes against some website or online service that has your password and that website does not have any mechanism to delay or limit the attempts to authenticate.

Offline attack against the "slow" hash - This scenario presumes that someone got an access to your password, which was not stored in plain text, but was "hashed", and an attacker tries to break your password offline. Slow-hash means that amount of guesses an attacker can try per second is lower (around 10,000 guesses per second) than if fast-hashing was used (around one billion to one trillion guesses per second).

Password strength depends on different factors and is estimated based on:

  • commonly used passwords, like "password", "admin", etc.
  • names and surnames, like "Mary", "Peter", "Smith", etc.
  • popular words and common patterns, for example from movies
  • dates, like "29062018"
  • repeats, like "aaaaaaaa", "1111111", etc.
  • sequences, like "abcdefgh", "0123456789", "6789012345", etc.
  • keyboard patterns, like "qwertyuiop", "asdfghjkl", etc.
  • inverted words, for example, "drwossap" can be inverted to "password"
  • L33T (Leet) - replacing alphabet letters with numbers or symbols, like P@$$w0rd, @dmin, etc.

The examples above are very guessable, thus you should not use them.