Even big-name brands score badly in website password practices

Filed Under: Featured, Security threats

Password. Image courtesy of Shutterstock.Two-thirds of the UK's top 100 e-commerce sites are happy for their users to protect their account with feeble passwords such as "password" or "123456". Two-thirds also allow more than 10 failed password attempts, while 60% don't offer any advice on choosing strong passwords during their account setup process.

These stats come from a study by password management software provider Dashlane, which has previously carried out similar studies in the US and France.

By Dashlane's reckoning, UK sites come out ahead of French ones in all password security measures, but lag behind US sites in most categories.

The UK leads only in blocking access after four failed attempts - a fairly small lead with 15% of top sites compared to 8% in the US and 5% in France - and rejecting previously-used passwords (40% compared to 30% in the US and 9% in France).

The study involved signing up to all the top online shopping sites in the UK, as reported by the IMRG-Experian Hitwise Hot Shops List published by Digital Strategy Consulting in June 2013.

Details of the password selection stage of the sign-up process, plus password resetting and response to repeated failed login attempts, were rated against a complex wishlist of sensible practices, with a positive or negative score given for complying or failing to implement each step.

Total scores spanned from a maximum of +100 for the best performers to -100 for those with the shoddiest practices. Full details of the ranking approach can be found in Dashlane's detailed methodology document.

The only service scoring the maximum +100 is Apple, who clearly deserves a commendation for its thoroughness. Also doing well are hotel chains Travelodge (+95) and Premier Inn (+90), and DIY chain B&Q (also on +90).

No-one else scored above +65, and only 37% of the sites surveyed managed a positive score.

The worst offenders

Top names doing a poor job include Amazon UK, Amazon.com, John Lewis and Debenhams, all rated in the top ten in terms of turnover but scoring negative numbers for their password policies.

The lowest scorers include cut-price retailers such as TKMaxx, Wilkinson and Superdrug, but also more upmarket brands like Boden and Laura Ashley. These all rate a poor -50, while lowest of all at -60 is global fashion outlet Urban Outfitters.

Urban Outfitters fared slightly better in the US version of the study published in January, implying that either its UK site is less well designed or the company has actually relaxed its security in the last few months.

The poorest showings in the US list include big names such as Toys R Us, J.Crew and American Girl.

Apple was again a standout top performer with a perfect 100 and other good sites include Microsoft, Nike and, perhaps surprisingly given recent horrors, Target.

Login. Image courtesy of Shutterstock.Back to the UK study though, and 79% accepted passwords of 6 or fewer characters, and 69% do not even require a mix of numbers and letters, let alone changes of case and special characters.

70% would accept "password", 60% would be fine with "123456".

25% were also happy (and able) to email passwords to users in plain text, showing that they are not only failing to employ proper encryption of password databases, but are also rather too trusting of email security.

Sadly the study doesn't look at the other side of password selection policies, where some sites explicitly prevent the use of longer passphrases or special characters, a particular bugbear for those trying to maintain a solid front against poor passwords.

All this paints a rather depressing picture, but repeated naming-and-shaming might eventually jog the operators of the poor-performing sites into improving things.

While readers of this blog are, of course, well educated on sensible password selection, the mass public are unlikely to start learning to be more careful unless they are forced to do so, and these big sites are best placed to start that enforcement.

Best practice

It's in their own interest as well as that of their customers to ensure that privacy and security are given the proper attention, as any leak of data or hijacking of accounts will have a negative impact on their reputation.

So they should be enforcing minimum length and complexity requirements, ideally starting well above 8 characters. They should provide advice on how to choose good passwords as well as flagging up poor choices. And they should be ensuring password data is properly encrypted on their servers, and that brute-force attempts to guess passwords are blocked.

They should be doing all this at the very least.

As one might expect given the source, the data also pushes us towards password management tools, with most people unable to handle multiple strong passwords without some degree of recycling.

Alongside Dashlane's own free offerings, other password managers are of course available, including LastPass, KeePass, 1Password and Roboform, plus a proliferating selection of solutions from security vendors and other software houses.


Image of login and password post-it courtesy of Shutterstock.

, ,

You might like

8 Responses to Even big-name brands score badly in website password practices

  1. I'm still horrified that my bank won't allow me to create a password longer than 6 characters with only letters and numbers, and case insensitive at that. Ridiculous in this day and age.

  2. Doesn't surprise me one bit.
    I discovered this for myself 2-3 years ago. Got quite frustrated over time, and that lead me to using a password manager.

  3. Blake · 138 days ago

    I would say it is time for a new bank!

  4. hotdoge3 · 135 days ago

    So they should be enforcing minimum length and complexity requirements, ideally starting well above 8 characters.

    tell my bank as the max is 8 characters and lower case only abcd1234

  5. Jim · 134 days ago

    Does Sophos have a "best practices" statement for passwords? If so, it would be good to link to it.

    Many people don't know how to create a password that's both strong and reasonably easy to remember. Throw in requirements to change it every X months and the typical customer just throws their hands up in frustration. But, there ARE good ways to make decent passwords.

    But, perhaps more importantly, how do they keep track of them? If it's on a Post-It note, ....

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.