Recently this audit summary from US local governments and courts came up in the security channel for a client. Specifically item 2.1 which recommends that users are routinely asked to change their passwords. Specifically it says:

Without requiring passwords to be periodically changed, the likelihood that accounts could be compromised and used by unauthorized individuals to gain access to sensitive information is increased.

Ensure passwords are periodically changed to prevent unauthorized access to computers and data

On the face of it, this sounds like a good idea. If there is a password breach, then making sure that you’re users are regularly rotating their passwords should help ensure that any compromised passwords are periodically changed. No more worries about those compromised passwords…right?

What Forcing Password Changes Really Does

By nature, humans are lazy. That’s why we reuse passwords and why password is consistently a common password found in breaches. When you force password changes on users regularly, they just get lazier. password becomes password1 then becomes password123, both of which are on the list above of regularly compromised passwords.

That brings us to this 2010 study that examines the utility of getting people to change their passwords. It finds…that users just transform their passwords in predictable ways I highlighted above. The study shows that around 41% of passwords that were regularly changed would be crackable with the techniques shown in their study. It shows that 17% of passwords would be crackable in 5 guesses.

So forcing password recycling seems like a good idea, but does little to improve security.

What Should You Do Instead?

Let’s talk about some of the things you should be doing with your passwords to keep them strong and secure according to NIST Guidelines.

First, and this isn’t specifically in the guidelines, you should be using a password manager like 1Password or Bitwarden. One of the biggest reasons users choose insecure passwords is that they try to remember them. Human memory isn’t great for random strings of text, so they use insecure password practices like including their username or the site name in their password. By having a password manager generate your passwords for you, you can be more sure that you’re getting truly random unique passwords.

Second, when you’re accepting user passwords check them against data breach databases and reject passwords that match these databases. Password databases from breaches are used regularly in attacks that try to guess passwords so just don’t allow them.

Third, use two-factor (2FA) authentication, but don’t allow SMS as a way to send SMS codes. It’s not hard to spoof SIM cards, or to use social engineering to get access to an account you shouldn’t have access to. If you’re able to do this then you have access to SMS 2FA codes. You should be using a tool like Authy to store your 2FA codes.

Fourth, lock users out of accounts and require admin intervention after 10 password attempts. I suppose it would be okay to lock someone out for a limited amount of time on the first 10 guesses, but then if you allow them to try again after 20 minutes those next 10 guesses should lock them out entirely until an admin deals with whatever is going on. The higher the risks to a breach, the more strict you should be.

Fifth, don’t allow password hints they make passwords trivial to guess. So much data is out there that someone could find out that the name of my first dog was…nope not going to tell you. Still, I’m sure I’ve said it on social media before. A good rule of thumb is that if your password has a hint that would let you guess it, it’s a bad password.

Finally, context specific items such as the username or site for the account should not be allowed as part of the password.

For IT managers, get people using a password manager and do whatever you can to ensure that people use it. Forcing them to change their passwords periodically is so much less secure than using 2FA and using proper passwords. Just stop the practice.

We recently started to update an old gulp based build process at work by using Laravel Mix. Mix is a wrapper around webpack which helps take a bunch of the setup headache away. If you have a very complex build, then Mix may not be for you, but for 90% of the needs of developers mix is going to serve you well.

I was able to get everything compiling easily, and then realized that I wasn’t being provided with sourcemaps for my css files. This means that I won’t be able to use a browser’s developer tools to see the source .scss file for a given css rule.

According to the mix documentation I should be able to take the code below and add a .sourceMaps(); parameter to it if I want sourcemaps to be generated.

mix.scss( 'source-file', 'destination-path');

This code should generate sourcemaps.

mix.scss( 'source-file', 'destination-path').sourceMaps();

Unfortunately, it doesn’t work. I was still left with my rendered css without sourcemap files generated alongside them. There is even an issue from 2017 highlighting the problem

Like many things as a developer, the solution was found by reading through a bunch of comments on the issue and forum posts. In the end the code below rendered my .css.map files as expected.

mix.webpackConfig({ devtool: "source-map" });
mix.scss( 'source-file', 'destination-path').sourceMaps();

You need to both configure webpack to generate sourcemap files and tell mix to generate sourcemap files.

Yup this is contrary to the documentation, which makes no mention of the webpack configuration needed. One of my biggest frustrations as a developer is the lack of care put into documentation. Though the upside is that I can write about it and that generates business for me as people find solutions I write about and then hire me because they figure I can solve other problems they have.

You want to maximize your sales, and streamlining your checkout is a crucial step to this.

In 2015 Barilliance found that the global average cart abandonment rate was over 70%. Take a look at your sales, and realize that there was another 70% of people that had a product in their cart, only to leave. Maybe they even purchased from a competitor?

With the right changes in your checkout process, you could cut your cart abandonment rate by up to 50%. That’s a significant impact on your bottom line. What could you do with the revenue that a 50% higher conversion rate would bring?

Read the whole thing on Liquid Web

If you’re looking at doing some A/B testing with your WooCommerce site then head over to Liquid Web to see the piece I wrote on A/B Testing for WooCommerce

A /B testing, also known as split testing, is the process you use when you test out two or more different versions of your content. That may be changing the button color on your products, testing out where you introduce other products a customer may be interested in, or how you ask for an email to grow your newsletter list. There are a few things to remember as you start with A/B testing on your WooCommerce store.

First off, you need to make sure that you’re only testing a single thing at a time for most sites. Sure you could change the font size of the product headings, and change the language on the buttons, and change their size and color. You could get lots of variations of your pages out of all that work.

The problem is, how do you know which variation positively affected your bottom line? Was it the color change? Maybe the language change? Did the font size make a difference at all?

Read the whole thing

Yup it’s Black Friday, and if you run an online store you should be working to increase the average order price. I just published an article on Liquid Web about this.

Today we’re going to look at some of the features WooCommerce offers out of the box to help store owners increase the average order price by showing users other products they may be interested in. We’ll explore why they may not be the best options for some stores. Then we’ll dig into how Smart Offers resolves many of the issues you can encounter with the stock WooCommerce related products options. Finally, I’ll walk you through how to set up Smart Offers on your WooCommerce site.

Read the rest at Liquid Web.

I wrote a post for Liquid Web on Getting Started with Analytics for your WooCommerce store.

One thing my clients often ask is whether my services include adding a site analytics package (usually Google Analytics) to their site. My usual response is that not having site analytics on their new store is like purchasing a new car and not getting the tires.

Yes, I set analytics up to work with WooCommerce for you the day your site goes live. Today we’re going to walk through adding Google Analytics to a WooCommerce site, and then more importantly, what you can do with the information once your site has been running for a while. We’ll end by looking at a few options that are not Google Analytics but will give you similar features.

You can read the rest on their site.

Over at Liquid Web I addressed adding a WooCommerce store to your existing WordPress site. It includes a step by step walk through of WooCommerce setup and includes screenshots.

There comes a time in the life of many WordPress sites when you want to start selling something. Maybe you wrote an ebook, or are looking to offer a way for your users to support your work?

Whatever the reason is for looking to sell something if you’re on WordPress the easiest way to do this is to install WooCommerce. WooCommerce is a standalone plugin that sits on top of WordPress, and is very easy to use, has tons of support, and is very popular (for a good reason!).

Today I’m going to walk you through what it takes to set up WooCommerce on your WordPress blog. I’m also going to talk about a few extra plugins you may want to use to maximize your store.

Read the whole post at Liquid Web

If you’ve ever wondered about affiliates for your site, then I tackled that topic recently for Liquid Web.

Getting traction on many stores is a hard thing. The “build it and they will come” idea just doesn’t hold up even to basic scrutiny. Many sites look at standard marketing like online ads and content marketing. A smaller number look towards adding affiliates to their store.

Today, I’m going to walk you through what it takes to have a good affiliate offering to attract high-quality people to your store. I’ll tell you some of the best methods to use to make sure that you have high-quality affiliates and to avoid fraud. Finally, we’ll look at helping your affiliates succeed and provide a quick overview of some options for setting up affiliates on your site.

Read the rest on Liquid Web

I was recently doing some site optimization work for a client and find that there were a few setup steps with Pingdom that weren’t 100% clear.

Today we’re going to take a look at how you set up Pingdom to monitor your WordPress or WooCommerce site.

It’s fairly well understood that for most businesses an online store is a good thing. It will usually increase your reach into places you can’t reach from retail locations.

My latest column for Practical eCommerce talks about some tips for those online only stores so that they can make better connections offline.

Many brick-and-mortar stores have found success in migrating online. But the trend has reversed somewhat. Pure-play ecommerce companies are finding success with physical stores. We addressed the topic last month, in “Ecommerce Merchants Embrace Brick-and-mortar.” We cited the example of Warby Parker, which found that having locations for customers to try on glasses led to higher conversions.

Read Offline Sales Tips for Online Merchants