As news comes that two thirds of shoppers will make their Christmas shopping purchases online, a new study by password manager Dashlane reveals the majority of the UK’s most popular e-commerce sites have unsafe password practices in its E-Commerce Security Roundup. Following recent major security breaches, this leaves today’s online shopper vulnerable to increasingly sophisticated hackers.
Overall, 80% of the sites Dashlane examined did not meet the minimum score of +50, and 52% received negative scores, indicating they have exceptionally weak password requirements. Dashlane’s testers found that 80% of the sites they examined do not require users to have a capital letter and a number/symbol combination in their password. They also found that 56% of sites allow users to have a password less than eight characters long, including IKEA, Amazon UK, and eBay.
Dashlane CEO Emmanuel Schalit states,” A strong password is one that is at least eight characters long, and contains letters, as well as numbers and or symbols. This complexity is what keeps hackers from easily guessing your password and accessing your account.”
Further analysis revealed that 16% allow users to have use 10 of the most common (and weakest) passwords as their password. This means users on sites such as Wickes, River Island, and Asda Groceries can use easily guessable passwords, such as ‘password,’ ‘abc123’, and ‘123456’.
Although the majority of sites performed poorly, there were a select few who achieved high scores. For the third time in a row, Apple received a perfect score and was the highest ranked site in the Dashlane study. Apple requires long, complex alphanumeric passwords, and does not accept easily hackable passwords. Several notable sites also have strong password requirements, including Boots, John Lewis, and Very.
“Apple’s password security policies should serve as the gold standard for online retailers,” says Schalit. “By requiring their customers to create strong passwords they are ensuring they have a strong first line of defense. We applaud other retailers, such as Boots and John Lewis, who have also made great strides towards in making password security a priority.”
Passwords are the first line of defense to keep personal data safe online. It is extremely easy for even the most basic website to implement strong password requirements, yet some of UK’s largest online retailers are leaving their users exposed due to weak password requirements.
The E-Commerce Security Roundup is Dashlane’s second major security study in the UK following the inaugural study in the spring of 2014. Although the scope of the 2015 study was smaller in scale, a comparison can still be made between the previous results as the majority of the testing criteria remained the same, and Dashlane examined many of the same sites in all of its studies.
There were some overall improvements in the cumulate performance of the websites:
- The number of sites that allow 10+ brute force logins decreased from 57% to 40%
- The number of sites that accept the ten worst passwords decreased from 42% to 16%
Another improvement was seen in the percentage of sites that require a letter and/or number or symbol that increased from 42% to 72%. Two examples of this were Ebay and House of Fraser, whose scores both rose because their password requirements became stricter.
“It is encouraging to see positive password security trends in the world of e-commerce,” says Schalit. “Yet, while the numbers indicate retailers are moving in the right direction, much work remains. Given that it’s 2015, no website, regardless of how large or small it is, has an excuse for not implementing security policies that will better secure their users, as well as maintain the integrity of the brand by protecting the company from malicious attacks.”
The study was conducted by Dashlane from October 19 – November 2, 2015. Dashlane examined 25 popular e-commerce websites. Each site was analysed based upon a set of 21 criteria. A criterion carried positive weight when it added security and negative when it added risk, giving each web site a total possible Dashlane Security Score between +100 and -100.