Account security best practices
To protect yourself from risk, learn about generating unique passwords for your accounts, as well as how to secure a compromised account and reset blocked credentials.
On this page
- Generate unique passwords with a password vault
- Never share your login credentials
- Learn how to identify common methods of attack
- Activate two-step authentication
- Use a passkey
- Download your recovery codes and store them in a safe place
- Secure a compromised account
- Reset blocked credentials
- Suspicious login activity
- Log in to an inactive account
- Unrecognized device login
Generate unique passwords with a password vault
Many people use the same password for more than one account. Often they pair it with the same username or email address. Without unique passwords, if a username/password pair is exposed, then an attacker might gain access to another account that uses those credentials.
Using password vault software is a great way to generate and manage your passwords. When you use a password vault, you need to remember only the master key to the vault, and your other passwords can be autogenerated jumbles of letters, numbers, and symbols.
Never share your login credentials
Your login credentials, that is, your username and password, are your identity in the digital world and should be kept private and confidential. Sharing this information reduces the security of your account. Don't share your login credentials with anyone including a colleague, a family member, or a staff member.
Add staff members to your store, rather than giving them access to your account. Staff members can create their own unique credentials and log in to their own accounts.
Shopify Support doesn't ask you for you Shopify password.
Learn how to identify common methods of attack
Learn about how to identify phishing, vishing, and smishing, and what steps you should take if you have had your account or identity compromised.
Activate two-step authentication
Activate two-step authentication for your Shopify account to reduce the likelihood that someone who has acquired your password will be able to cause any damage. Your staff should also set up two-step authentication for their accounts.
Two-step authentication (2SA) is important for online security because it adds an extra layer of security to your account. A password on its own is not enough to prevent an attacker from accessing your account if your password has been shared, guessed, leaked or phished. When you activate two-step authentication, a user must know your password and have access to the physical device that you use to log in to your Shopify admin, such as a mobile device or security key.
When you activate a payment gateway such as Shopify Payments, Shopify requires that you set up two-step authentication to use that payment gateway. If you decide to deactivate two-step authentication in the future, then you expose your account and financial information to potential criminal attacks.
Use two-step authentication on your other accounts whenever possible. Major services that support two-step authentication include:
Use a passkey
Passkeys are a more secure replacement for passwords. They allow you to sign in to an account without entering a password, but are safer and more efficient than a password. Using passkeys removes the possibility of forgetting and needing to reset a password, or entering the wrong password and becoming locked out of your account.
Using a passkey can help you avoid phishing scams, as well as having your password stolen.
You can add a passkey using any authentication method that you use to unlock your device, such as a fingerprint or face recognition, or a device PIN.
Learn more about how to set up passkeys on your Shopify store.
Download your recovery codes and store them in a safe place
The last step in setting up two-step authentication is downloading and saving your recovering codes. If you lose access to your device or you can't log in using a two-step authentication method that you activated, then you can use your recovery codes to log in instead. Store your recovery codes in a secure and confidential place that you can access easily from anywhere.
Learn more about recovery codes.
Secure a compromised account
If your account has been compromised, then take action to protect your data and your finances right away.
Steps:
- Log in to the email account that you use to log in to Shopify and change the password.
- Log in to Shopify and change the password for your Shopify account. If you can't log in, then reset your password. If you don't receive a password reset email, then contact Shopify Support.
- Do either of the following:
- Activate two-step authentication for extra security when you log in.
- If two-step authentication is already activated and an attacker was able to defeat it, for example, they stole your device, then you need to remove the authentication method for that device, and then set up two-step authentication again for a different device.
- Check your banking details for Shopify Payments and update them if necessary.
- Check and update your banking details for PayPal and any other payment providers you have configured.
- Review your general account settings to make sure that all other information is correct.
- Follow government guides to protect your identity and sensitive information.
Reset blocked credentials
Because many people use the same password for more than one account and pair it with the same username or email address, if a username/password pair is exposed, then an attacker might gain access to other accounts that use the same credentials.
To reduce the risk of this happening to you, we obtain and analyze information from public data leaks. If your credentials are found in any of these leaks, then we lock your account. When you try to log in, you get an error message until you reset your password to one that has not been compromised.
You should also use two-step authentication and password vault software to make all of your accounts as secure as possible.
Suspicious login activity
To prevent Shopify account logins from attackers, Shopify's security systems detect and lock account access when unusual activity is detected. In these cases, you need to confirm your identity as part of the login process.
A ten-digit code is sent to your account email. Enter this code to confirm your identity and log in.
Steps:
- On the Verify your identity page, enter the code sent to your email and click Login.
- After you successfully confirm your identity, review the previous suspicious login information and indicate if the login was made by you or not by clicking Yes, this was me or No, this wasn't me.
- If you click No, this wasn't me, then you need to reset your password to keep your account safe before logging in to your account.
Log in to an inactive account
If you haven't logged in to your account for three months or more, then you need to confirm your identity as part of the login process.
A ten-digit code is sent to your account email. Enter this code to confirm your identity and log in.
Steps:
- On the login page, enter the code sent to your email.
- Click Login.
Unrecognized device login
If Shopify doesn't recognize a device used for login, then you receive an email from Shopify with the subject line "A new device has logged in to your Shopify account".
To ensure your account is secure, you need to verify that you recognize the new device.
If you don't recognize the device displayed, then your account might have been compromised. Follow the steps below to secure your account.
Steps:
- Open the email and click Check activity.
- Review the device and log in details.
- Do one of the following:
- If you recognize the device, then click Yes, it was me.
- If you don't recognize the device, then click No, secure account and follow the instructions to secure your account.
If you need to change your password, then a security code is sent in a separate email for authentication.