Account Security FAQ
We recommend taking the following steps to increase security for your MaxMind account.
- Ensure that all account users have strong, secure passwords that are updated regularly.
- Review users and permissions regularly if you make use of multi-user account access.
- Do not share user accounts and passwords, and deactivate any user accounts if no longer used.
- Enable two-factor authentication for all account users.
- Check your Account Activity [login required] for unexpected creation/deactivation of users or password changes.
- Treat your license key like a password, and store it securely (e.g. in a password manager).
- We hash license keys on our end, so it will only be displayed to you, in full, once at the time of generation.
- When using your license key in your code, make sure you store it securely.
- Never store your license key where it can be read by other users on shared resources (e.g. version control, code, public HTML, etc.)
- Replace your license key if you suspect it is compromised.
- Use HTTPS with TLS v1.2+ to secure your requests to MaxMind services.
- Support for TLS v1.0 and v1.1 (all services), and unencrypted HTTP requests to MaxMind legacy minFraud services end on October 16, 2019.
- We continue to support HTTP requests to GeoIP services, but we highly recommend the use of HTTPS with TLS v1.2+
- If you are using a MaxMind client API, ensure you are using the latest version.
- For automating GeoIP downloads, use GeoIP Update version 3.1.1 or greater.
- GeoIP Update versions before 3.1.1 transformed the license key in a way that we are unable to compare what is sent with a hashed key on our side. To take advantage of the hashed license key security feature, you would need to upgrade to version 3.1.1 or higher.
- Older versions of GeoIP Update will continue to work, but we highly recommend upgrading when possible. A guide for upgrading is available in our developer documentation, and our latest version of GeoIP Update is available here.
- If you use the minFraud service, ensure you’re only sending the intended data for an input, as described in our documentation, to avoid accidentally sharing sensitive information (e.g. never pass a full credit card number as the IIN input).
- Avoid sending sensitive account information such as license keys or account passwords in emails. We will never ask you to send us passwords or full license keys.
- If you are unsure whether an email you receive is from MaxMind, please contact us. If you are unsure about links in suspicious emails, please navigate to our website directly.
Contact us if you have any questions or if you notice suspicious activity on your account.