A new study shows most e-retailers are not strict enough with password requirements and could be putting consumer data at risk.
Abby Callard , Associate Editor
Even though the Heartbleed bug recently had e-retailer’s hearts racing with anxiety, several Top 500 e-retailers still have lax password requirements, a study from password management company Dashlane found. The Heartbleed bug opened up e-commerce sites to hackers who could have stolen credit card numbers and personal consumer data.
Despite the increased focus on security following the bug’s discovery, most of the e-retailers in the new study did not have adequate password security.
Dashlane analyzed 22 password criteria for 80 of the web’s most popular web sites, including those operated by Apple Inc., Target Corp., Google Inc.’s Gmail, Craigslist and Wal-Mart Stores Inc. The firm assigned a positive or negative value to each of those criteria and awarded each site a score on a possible scale of -100 to +100. A score of +50 was considered the minimum for good password practices. This is the second such report Dashlane has done; the first was in the first quarter of 2014.
Dashlane has a few requirements for what it considers good password hygiene: Passwords should have a minimum of eight characters and be alphanumeric and case-sensitive. A site should not accept the 10 worst passwords on the web, including ones like “abc123,” “password” and “monkey.” Users should be required to confirm a password change via e-mail and should not be allowed to log in after 10 failed attempts.
Of the 31 e-commerce sites included, 80.6% had scores below +50, which puts the e-commerce sector slightly above the 86.0% of sites tested that had scores below +50. The median score in the e-commerce sector was -12.5, the same as the overall median score. The worst e-commerce offender was Overstock.com, which had a score of -55, but Fab.com, Amazon.com Inc. and Groupon were right behind it with scores of -50, -45 and -45 respectively. None of the e-retailers responded to a request for comment.
18 e-commerce sites let users create passwords with just letters or numbers, and only five required a capital letter. Fab.com and 1-800-Flowers.com Inc. let users create passwords with only one letter. Only five e-commerce sites showed users an on-screen password assessment as they were creating accounts, and 12 e-commerce sites did not require e-mail confirmation.
The study also tested for the acceptance of common passwords such as “password,” and “abc123.” About half of the e-commerce site operators allowed consumers to use “password” as their password, while 18 let them use “abc123.” Twelve e-commerce sites let consumers continue to attempt to log in after 10 failed attempts.
Here’s a list of the Top 500 e-retailers included in the study with their Dashlane password score and ranking: