With nearly half of all holiday shopping expected to be conducted online, attention is turning to the first line of defense against fraud: the humble password. As it turns out, this bulwark isn’t nearly as strong as it could be, according to a study released Tuesday by Dashlane Inc., a New York City-based provider of password and identity management software, though the firm says there has been some improvement in the past year.
The company examined the Web sites of 25 major retailers, scoring their password rules on 22 criteria. With each criterion receiving a plus or minus score, the total score for each site fell between negative 100 and positive 100. The cut-off for acceptable password security is positive 50, Dashlane says.
Only five retailers met or exceeded that threshold: Apple came in number one with a perfect score of positive 100, followed by Target (+85), Best Buy and Newegg (both at +70), and Bed Bath and Beyond (+55). Eleven merchants finished in negative territory.
Criteria for the study, which Dashlane conducted between Oct. 19 and Nov. 2, included such factors as minimum password length, whether a capital letter, number, or symbol is required, and whether the site offers a password-strength assessment. Password-reset policies were also examined, including factors like whether the new password is sent in plain text to the user. Finally, the firm looked at whether common passwords (“password,” “letmein”) are acceptable. Each factor carried either a positive or negative weight in the receiving a score.
The study found that 18 sites do not require more complex passwords, those including a capital letter, number, or symbol. Eight of them accept common passwords, while nine allow 10 or more so-called brute-force log-in attempts, where hackers use software to stream multiple password guesses into a log-in screen until they find the one that works.
“A strong password is at least eight random characters long and contains a mix of capital letters, lowercase letters, and numbers and/or symbols,” said Emmanuel Schalit, chief executive at Dashlane, in a statement. “This complexity is what keeps hackers from easily guessing your password.”
Consumers, however, generally find such passwords hard to remember, and so lean toward using simpler codes across multiple sites. Loath to turn away business, many merchants permit lower barriers to entry for shoppers.
This is the third such study Dashlane has conducted since last year, and in this one it found some improvement. While 44% of the sites scored negatively, that’s down from 53% in the last study. And the number of sites scoring below positive 50 fell slightly, from 86% to 80%. The company says that, in particular, both Best Buy and Overstock.com (final score, +4) improved their scores because both began requiring more complex passwords.
“While the numbers indicate retailers are moving in the right direction, much work remains,” noted Schalit in a statement. “It’s 2015, so no Web site has an excuse for not implementing security policies that will better secure their users.”
Founded in 2009, Dashlane says its products have been used by 3.5 million consumers to help protect $4 billion in e-commerce traffic.