This post is adapted from the Desk of Andy email on August 4th, 2023. Andy Carlson opened his original Ace Hardware store in 2006 after a twenty-year corporate career in technology. Upon closing his store in September 2022, Andy joined forces with Paresh Rana to help expand DilSe.IT. Andy has 17 years of Ace technology expertise including Epicor, Mango, Margin Master, PCI compliance, Benjamin Moore, the Ace Retailer app, Zebras and more.
Creating and Maintaining Strong Passwords Throughout Your Ace Store…
At DilSe.IT, we take pride in creating innovative processes and technologies that add value for Ace Hardware store owners, managers, and associates.
One of the things we find among the Ace clients we serve is many computers not secured by passwords. We realize this is often a trade-off between customer service and security. However, it is potentially a dangerous trade-off that can be mitigated with some simple steps.
It is important that all computers within your store be secured with a Windows password. That password should be changed periodically – at least every 90 days. After you’ve come-to-terms with this fact, here are some other things to consider…
Consider the physical security of the computer. For example, point-of-sale (POS) computers are typically behind the queue line counter and relatively safe from unwanted physical access. To achieve a good OSAT score at check-out, cashiers need to move fast. Adding a Windows password with a short time-out will slow them down unnecessarily given the computer itself is reasonably secure. Consider a 15 to 30 minute time-out on POS computers so the computer is protected after the Cashier steps away from it or if it is not currently in-use.
Computers without much physical security – such as at the paint counter – should have a short time-out to return them to the Windows login screen. We suggest 2 to 5 minutes.
Back office shared computers should have different Windows accounts for each person who uses them. Again, consider the physical security of the machine. If it is in the receiving area with lots of traffic from employees, delivery drivers, and vendors, consider using a short time-out of 2 to 5 minutes. If the computer is in a locked office area, the time-out can be set longer, but we never recommend more than 15 minutes for a back office machine.
Train your employees to log out of any computer if they walk away from it to minimize unauthorized access.
While you may trust the physical security of your computer’s location, unexpected situations can arise, such as break-ins, theft, or unauthorized access by personnel with access to the premises. A Windows password provides an additional barrier in such situations.
We realize that passwords can be hard to remember. If your employees write the computer’s password down on a sticky-note attached to the monitor, the purpose of having a password is defeated. Consider using passphrases instead, which are longer phrases or sentences that are easier to remember and harder to crack. For example, “Cashiers all love POS4!” You can develop a convention for these phrases that will make them easy to remember even after they change every 90 days, for example, “Cashiers all love POS1 in Q4!”
Ensure that your computer has security and logging features enabled to detect and respond to any unauthorized access attempts. We also strongly recommend anti-malware software such as ESET or Capture Client be installed on all computers.
For your Epicor Eagle computers, you should also use Epicor’s recommended conventions for Eagle passwords. Always require a password to login to POS. Users with higher-levels of Eagle access should all have “high security passwords” that expire every 90 days.
Payment Card Industry (PCI) Compliance requires that your store have a strong password policy. You can save money on your credit card rates and gain peace-of-mind that your store systems are secure by maintaining PCI compliance.
Consider the possibility of remote access. In today’s interconnected world, computers are often connected to networks and the internet. Without a password, remote attackers could potentially gain unauthorized access to your computer and its data as well as other computers connected to your network.
A password vault system is a good way for your management-level employees to set and maintain strong passwords, particularly on back office computers where the most sensitive data is stored.
In summary, adding a password to your Windows computer is a fundamental security practice that helps protect your data, privacy, and sensitive information from unauthorized access, both locally and remotely. Regardless of physical security measures, a password remains a crucial defense against potential threats. DilSe.IT delivers practical cyber security training for Ace Hardware clients.
DilSe.IT delivers a suite of productivity applications from the cloud that we call Hosted Business Services. This includes password vault system. For more information click here.