By Fahmida Y. Rashid
Sure, users are notorious for selecting weak passwords, but if websites took a few simple steps to shore up security, we would all benefit.
In a survey for popular e-commerce sites and their security practices, Apple, Newegg, Microsof, Chegg, and Target followed the best security practices, Dashlane found in its quarterly Personal Data Security Roundup report. MLB.com, Karmaloop, and Dick’s Sporting Goods had the worst scores, and Amazon, Walmart, Toys R Us, and Victoria’s Secret didn’t fare all that much better. Apple had the perect score, the only retailer to do so.
Dashlane rated 100 sites against 24 different criteria, such as if the site rejected weak passwords, blocked login attempts after a certain number of incorrect logins, or displayed a password-strengh meter to give users immediate feedback about secure passwords. Dashlane recommended e-commerce sites lock accounts after four incorrect login attempts, adopt rules for minimum password security, and provide on-screen suggestions to help users select better passwords.
“Some retailers may argue that such requirements impede user convenience, but companies such as Apple, arguably the most famous brand on the list, have shown that it is possible to be both secure and successful,” Dashlane said.
Weak Passwords
Users frequently select simple passwords to make it easier to remember. But sites who don’t block users from choosing commonly used passwords are not doing their users any favors. The majority, 55 percent, of sites accepted notoriosly weak passwords such as “123456,” “111111,” and “password,” Dashlane found. About 70 percent of the sites allowed users to use “abc123” as a password. MLB.com even lets users select “baseball” as their password.
Users frequently select simple passwords to make it easier to remember. But sites who don’t block users from choosing commonly used passwords are not doing their users any favors. The majority, 55 percent, of sites accepted notoriosly weak passwords such as “123456,” “111111,” and “password,” Dashlane found. About 70 percent of the sites allowed users to use “abc123” as a password. MLB.com even lets users select “baseball” as their password.
Sites are also not enforcing strong password rules. About 62 percent of the sites in the survey do not require users to select a password that use both numbers and letters, and 73 percent allow passwords which are less than six characters long. And 61 percent of the sites didn’t even bother advising users on how to create a strong password during the sign-up process.
While some sites provide a little meter on the screen during password selection indicating if the user was selecting a weak, moderate, or strong password, not enough are doing that. Of the sites in Dashlane’s study, 93 percent did not offer that kind of feedback.
Account Security
Attackers frequently use “brute-force” methods to break into accounts. They cycle through a list of words to see if any of them works. Many sites, especially banks, generally lock the account after three to five incorrect passwords. Dashlane found that several major sites, including Amazon and Dell, allowed login attempts even after 10 attempts with the wrong password.
Attackers frequently use “brute-force” methods to break into accounts. They cycle through a list of words to see if any of them works. Many sites, especially banks, generally lock the account after three to five incorrect passwords. Dashlane found that several major sites, including Amazon and Dell, allowed login attempts even after 10 attempts with the wrong password.
Best Buy, Macy’s, Williams-Sonoma, HSN, LL Bean, Toys R Us, Overstock.com, and Vistaprint rounded up the rest of the top 10 retailers that didn’t lock accounts after incorrect passwords.
Eight sites, including Toys R Us, J Crew, and 1-800-Flowers, sent passwords in plain text via e-mail. This means the retailers are storing these passwords as is, without encrypting them, in their databases. Considering the number of data breaches we have seen recently, it’s a little surprising that some major brands still haven’t learned that it is important to encrypt important information in the database. It also makes you wonder what other sensitive data is being stored insecurely.
Step It Up
The report found that “some of the top e-commerce sites in the US fail to implement basic password policies that could adequately protect their users’ personal data,” Dashlane said. The fixes don’t have to be costly to implement or take a long time, Dashlane said.
The report found that “some of the top e-commerce sites in the US fail to implement basic password policies that could adequately protect their users’ personal data,” Dashlane said. The fixes don’t have to be costly to implement or take a long time, Dashlane said.
Yes, users need to take charge of their personal security and do a better job of selecting passwords, but Website owners can also step up and demand users do better. It’s human nature to do just enough to get by, so if major e-retailers raised the bar, that would go a long way towards improving personal data security. Of course, using a password manager (Dashlane’s password manager is a PCMag Editors’ Choice) is always a good choice.