There have been some recent large-scale security breaches at popular retailers here in the United States where millions of records of personal data and even credit card numbers have been stolen. Team SoftwareKey takes security very seriously. We are excited to announce several new security enhancements that we will soon be rolling out in SOLO Server, starting with build 1.14.2.3.
SOLO Server Security Enhancements
We understand that many of our customers have unique ways of interfacing with SOLO Server and their customers. It is important to first understand a little history of SOLO Server and the need for these security enhancements. To perform an online activation, the end-user needs to enter a License ID and Password. In early versions of SOLO Server, the software publisher was able to generate unique, random passwords for every customer when adding the license.
When we added the self-service features of our eCommerce and customer license portal, customers were given the option to set or change their password. Though best practices dictate using a unique password for every web site or service, it is quite common for people to reuse the same password across multiple web sites. This can lead to a security risk, because if a password from one site is compromised, then accounts on other web sites could potentially be compromised as well.
Phase 1 (complete): Ask customers to choose unique passwords
The first step we took to address security concerns was to ask the customer to choose a unique password and even offered a link to generate a randomized password when creating an account through the shopping cart. To drive the point home, we even warned the customer that support personnel would be able to see the password that was entered. This feature was published in 2013. We found that customers disregarded this warning.
Phase 2 (complete): Remove customer password from being displayed on transaction receipts
Starting in SOLO Server build 1.14.2.2, we removed the customer password from being displayed on the default order transaction receipt page and transaction receipt email. Instead of displaying the password, a link is available in these receipts to recover the password by email. If you are using a custom invoice template or for some reason need to have the password displayed on the transaction receipts (not recommended), please open a support ticket.
Phase 3 (starting in 1.14.2.3): Remove customer password from administration interface
Even though we do give customers the option to use a random password generation feature during shopping cart checkout, we wanted to take further steps to ensure additional security in case they do not choose to use a unique password. In an effort to minimize the exposure of customer passwords in SOLO Server, we have made several changes:
- Users and groups now support a new View Password permission. Users and groups without this permission will no longer be able to view or edit the customer password.
- This new permission can only be edited by users with Master User permission. This is a “superuser” type permission for server operators.
- For new installations and upgrades of self-hosted SOLO Server instances, this new permission will default to disabled. Any users/groups which require this permission will need to be updated to enable this permission.
- For SOLO Server Dedicated URL instances hosted by SoftwareKey.com, this new permission will default to enabled. Any users/groups which should not be able to view/edit passwords will need to be updated to disable this permission.
- For customers using the SOLO Server Shared URL instance hosted by SoftwareKey.com, this view password permission will be disabled in the near future. For any users requiring this permission, we ask that the main contact open a support ticket to request enabling this along with a list of User IDs and/or groups requiring the permission.
- The customer password has been removed from all reports and exports that previously included it.
- Searching by customer password is only enabled through the search page and XmlCustomerService.CustomerSearch web method for user accounts with the view password permission enabled.
We acknowledge that these changes may cause inefficiencies. We hope that you agree that these security enhancements are important to avoid any potential data breaches, even if it requires a few extra steps by the customer or your staff.
If you experience any issues with the passwords, including when using web services calls, please let us know. More information will be provided soon on any necessary adjustment due to these security enhancements.
You can read the full SOLO Server 1.14.2.3 release notes here.