Password Security

You should make sure that you keep your password secure. The first step is choosing a secure password. In general, the longer your password, the better and more secure it is. Your password does not have to be just a single word, it can contain spaces, numbers, punctuation, and Unicode characters (I.E. non Latin characters including Chinese letters, etc.). Therefore, you can use an entire phrase or sentence as your password, or part of your password, to help make it as long as possible. However, be careful not to use only dictionary words, as this makes it easier for an attacker to guess. Consider avoiding this by mixing up the cApiTalisATIOn, adding digits3473, or ext,,ra p_unctua(tio%n [sic], for example, or even including nonsense words that are not found in any dictionary (or existing movie or literature). However, making your password long is much more important for security than making it look complicated with numbers and capital letters, so consider using an entire sentence or short paragraph as your password, but not one copied from a book, a new one invented by yourself.

Avoid simple, common passwords like '12345', or, 'password',. Avoid using anything that an attacker would easily be able to guess from context, including your name, the websites name, your birthday or any other important date in your life, the name of your pets, family, partner, fictional characters, etc..

Do not reuse passwords across multiple services - create a new password for every service that requires one. Also, when changing passwords, do not change to one that you have used previously. Check haveibeenpwned to see if any of your existing accounts are known to be compromised.

Ideally, you will be able to remember a long passphrase, but if you are unable to, it is a better compromise to write down your password somewhere secure, rather than to not choose a secure password at all. If you do this, though, make sure the password is *only* stored in a secure place (your purse or wallet, perhaps). Do not write it on a sticky note and store it permanently on or near your computer, for example, especially if your computer is located in a shared space like an office or family home.

As an alternative to trying to memorise long passwords (or writing them down) for each website you use, you might consider using a password manager. Password managers are programs or browser plugins you can install which you generating unique, secure passwords for every service you use. It will encrypt these with a single password -- now the only one that you have to remember. The disadvantage is that you must now have a copy of your password file and password manager on each computer which you need to login from. Additionally, if you loose your password database (or your computer crashes, etc.), you will not be able to login. Wikipedia Maintains a list of password managers for your comparison.

Avoid telling your password to other people. If multiple people need to use the service, consider getting them to create their own account instead.

Avoid logging into the service from other peoples computers, shared computers, and especially public computers (such as at a school or library). Since many people use these computers, their security is outside of your control.

Avoid logging into the service from a public place. If you are using a mobile phone, for example, be very aware of what is behind you. People may be looking over your shoulder, and there might also be security cameras, mirrors, or other reflective surfaces like windows or glasses.

Finally, regularly change your password; at least every 2 or 3 months for example. This will mean that even if your password is compromised, the amount of time that an attacker has to take control is limited.

If you follow all of these tips, your password will surely remain secure!

How we protect you

TLS

All of your connections to Merchi are secured over the industry best practice HTTPS protocol. This uses 'TLS' (the successor of SSL) to encrypt all data that you send on it's way to us, preserving your privacy and stopping attackers from being able to change your data.

We regularly review our TLS configuration to make sure it is resilient against all known attacks, even theoretical only ones. More technical users may want to study our configuration for themselves at SSLLabs Testing Tool. At the time of writing, it gives Merchi an 'A+' rating.

HSTS (HTTP Strict Transport Security) is enabled on Merchi to protect you from HTTPS downgrade attacks and cookie hijacking.

HTTPS Certificates

Merchi uses Let's Encrypt™ to help your browser verify that you are always talking to Merchi, and that an attacker, even including your ISP, is not able to intercept your connection.

Information for reasearchers

Merchi is not currently running any form of bug bounty program. Nonetheless, we welcome vulnerability reports from security researchers. We warrant that we will act in good faith and have no interest in prosecuting or attacking legitimate researchers for their efforts, and that should we confirm any reported vulnerability, we will make every effort to resolve it as quickly as possible. We ask that researchers abide by the following:

• Report any vulnerabilities you find as soon as possible
• Wait at least 90 days from the report before publishing anything about any vulnerability you may find
• Avoid making Denial of Service attacks against the service
• Do not download or obtain any sensitive data (including customer data, source code, etc.) beyond the minimum required for vulnerability or attack proof-of-concept
• If you obtain sensitive data, please immediately delete your copies, and do not publish or forward it to anyone

If you believe that you have found a bug, please report it via email to security@merchi.co. If your bug report is sensitive, you may use the following PGP key: