A Dashlane roundup assesses the password policies of the top 100 e-commerce sites in the US by examining 24 different password criteria that Dashlane has identified as important to online security, and awarding or docking points depending upon whether a site meets a criterion or not. Each criterion is given a +/- point value, leading to a possible total score between -100 and 100 for each site.
- 55% still accept notoriously weak passwords such as “123456” or “password”
- 51% make no attempt to block entry after 10 incorrect password entries (including Amazon, Dell, Best
Buy, Macy’s and Williams-Sonoma)
- 64% have highly questionable password practices (receiving a negative total score in the roundup)
- 61% do not provide any advice on how to create a strong password during signup, and 93% do not provide an on-screen password strength assessment
- Only 10% scored above the threshold for good password policies (i.e. 45 points or more in the roundup)
- 8 sites, including Toys “R” Us, J.Crew and 1-800-Flowers.com, send passwords in plain text via email.
MLB.com, Karmaloop and Dick’s Sporting Goods received the three lowest scores. Amazon, Walmart, Victoria’s Secret and Toys “R” Us were also among the lowest ranked sites as they all received scores of -35 or below.
These findings are troubling, particularly when examined in the context of numerous recent online security issues at major retailers such as Starbucks. They suggest that some of the top e-commerce sites in the US fail to implement basic password policies that could adequately protect their users’ personal data.
Users at risk
The danger with a weak password policy is that it leaves users’ personal data vulnerable. The weaker the password, the easier it is for hackers to break into an account. Therefore, sites with lenient password policies are leaving their users exposed to greater risk.
The majority of sites accept ten of the most commonly used passwords such as “123456”, “111111” and even the word “password”. Dashlane also discovered that 62% do not require a mix of letters and numbers, and 73% accept passwords with 6 characters or less. MLB even allows users to use the word “baseball” as their password.
In addition to permitting weak passwords, a number of e-commerce sites do not lock users’ accounts after repeated failed access attempts. Numerous sites, including Amazon and Dell, allow uninterrupted normal login attempts even after 10 incorrect password entries. One of the easiest methods hackers use to break into an account is the automated entry of commonly used passwords. Restricting account access after multiple incorrect entries is a simple way to curb this tactic.
When the two issues above are combined, it becomes easy for hackers to access many accounts because they can repeatedly try the most commonly used passwords without being blocked.
Also among the more dangerous practices is the sending of passwords in plain text via email. Thankfully this practice was not prevalent, but the study found that several sites, including Toys “R” Us, J.Crew and 1-800- Flowers.com, still email users’ passwords in plain text.
The solution is simple
To make their password policies more secure, Dashlane recommends that e-commerce sites adopt some simple policies:
- Require that passwords contain at least 8 characters, and a combination of upper/lower-case letters, numbers and symbols
- Block account access after 4 failed logins
- Provide users with on-screen advice on how to choose a strong password during signup
- Provide users with an on-screen assessment of password strength while they’re choosing a password.
Some retailers may argue that such requirements impede user convenience, but companies such as Apple, arguably the most famous brand on the list, have shown that it is possible to be both secure and successful. In every category we tested, Apple implemented the 4 simple policies and procedures we recommend above. These policies resulted in the company being awarded the only perfect score in the study.
Target, Nike and Microsoft also received high scores as they all require users to have secure passwords that contain letters, numbers and upper/lower-case combinations.