Even big-name brands score badly in website password practices

Login. Image courtesy of Shutterstock.

Password. Image courtesy of Shutterstock.Two-thirds of the UK’s top 100 e-commerce sites are happy for their users to protect their account with feeble passwords such as “password” or “123456”. Two-thirds also allow more than 10 failed password attempts, while 60% don’t offer any advice on choosing strong passwords during their account setup process.

These stats come from a study by password management software provider Dashlane, which has previously carried out similar studies in the US and France.

By Dashlane’s reckoning, UK sites come out ahead of French ones in all password security measures, but lag behind US sites in most categories.

The UK leads only in blocking access after four failed attempts – a fairly small lead with 15% of top sites compared to 8% in the US and 5% in France – and rejecting previously-used passwords (40% compared to 30% in the US and 9% in France).

The study involved signing up to all the top online shopping sites in the UK, as reported by the IMRG-Experian Hitwise Hot Shops List published by Digital Strategy Consulting in June 2013.

Details of the password selection stage of the sign-up process, plus password resetting and response to repeated failed login attempts, were rated against a complex wishlist of sensible practices, with a positive or negative score given for complying or failing to implement each step.

Total scores spanned from a maximum of +100 for the best performers to -100 for those with the shoddiest practices. Full details of the ranking approach can be found in Dashlane’s detailed methodology document.

The only service scoring the maximum +100 is Apple, who clearly deserves a commendation for its thoroughness. Also doing well are hotel chains Travelodge (+95) and Premier Inn (+90), and DIY chain B&Q (also on +90).

No-one else scored above +65, and only 37% of the sites surveyed managed a positive score.

The worst offenders

Top names doing a poor job include Amazon UK, Amazon.com, John Lewis and Debenhams, all rated in the top ten in terms of turnover but scoring negative numbers for their password policies.

The lowest scorers include cut-price retailers such as TKMaxx, Wilkinson and Superdrug, but also more upmarket brands like Boden and Laura Ashley. These all rate a poor -50, while lowest of all at -60 is global fashion outlet Urban Outfitters.

Urban Outfitters fared slightly better in the US version of the study published in January, implying that either its UK site is less well designed or the company has actually relaxed its security in the last few months.

The poorest showings in the US list include big names such as Toys R Us, J.Crew and American Girl.

Apple was again a standout top performer with a perfect 100 and other good sites include Microsoft, Nike and, perhaps surprisingly given recent horrors, Target.

Login. Image courtesy of Shutterstock.Back to the UK study though, and 79% accepted passwords of 6 or fewer characters, and 69% do not even require a mix of numbers and letters, let alone changes of case and special characters.

70% would accept “password”, 60% would be fine with “123456”.

25% were also happy (and able) to email passwords to users in plain text, showing that they are not only failing to employ proper encryption of password databases, but are also rather too trusting of email security.

Sadly the study doesn’t look at the other side of password selection policies, where some sites explicitly prevent the use of longer passphrases or special characters, a particular bugbear for those trying to maintain a solid front against poor passwords.

All this paints a rather depressing picture, but repeated naming-and-shaming might eventually jog the operators of the poor-performing sites into improving things.

While readers of this blog are, of course, well educated on sensible password selection, the mass public are unlikely to start learning to be more careful unless they are forced to do so, and these big sites are best placed to start that enforcement.

Best practice

It’s in their own interest as well as that of their customers to ensure that privacy and security are given the proper attention, as any leak of data or hijacking of accounts will have a negative impact on their reputation.

So they should be enforcing minimum length and complexity requirements, ideally starting well above 8 characters. They should provide advice on how to choose good passwords as well as flagging up poor choices. And they should be ensuring password data is properly encrypted on their servers, and that brute-force attempts to guess passwords are blocked.

They should be doing all this at the very least.

As one might expect given the source, the data also pushes us towards password management tools, with most people unable to handle multiple strong passwords without some degree of recycling.

Alongside Dashlane’s own free offerings, other password managers are of course available, including LastPass, KeePass, 1Password and Roboform, plus a proliferating selection of solutions from security vendors and other software houses.

Image of login and password post-it courtesy of Shutterstock.