NEW YORK, Nov. 17, 2015 /PRNewswire/ --
- 80% of sites do not meet the minimum secure password threshold
- 72% of sites do not require passwords with a capital letter and a number or symbol
- 32% of sites accept the ten most common passwords, including "password"
- Strongest Sites: Apple, Target, Best Buy, Newegg, Bed Bath & Beyond
- Weakest Sites: Dick's Sporting Goods, Zulily, Walmart, Cabela's, Amazon
Apple received the only perfect score, which they also received in each of Dashlane's previous Security Roundups. Target, Best Buy, Newegg, and Bed Bath and Beyond were the only other sites to receive passing scores.
Dick's Sporting Goods received the lowest score. Amazon and Walmart were among the sites receiving the worst scores.
Click for the full study results and embeddable media:
NOTE: All citations and references to the study should link to the page above.
Dashlane's 2015 Ecommerce Security Roundup examined password security policies on 25 of the most popular online retailers. Dashlane tested 22 criteria, and each criterion was given a +/- point value that enabled a website to receive a score between -100 and +100. A score of +50 is Dashlane's minimum requirement for good password practices.
Dashlane CEO Emmanuel Schalit, a Ph.D. in computer science, states, "A strong password is at least eight random characters long, and contains a mix of capital letters, lowercase letters, and numbers and/or symbols. This complexity is what keeps hackers from easily guessing your password."
Dashlane's testers found that 72% of the sites they examined do not require users to have a capital letter and number/symbol combination in their password. They also found that 56% of sites allow users to have a password less than eight characters long, including IKEA, Macy's, and eBay.
80% of the sites Dashlane examined did not meet the minimum score of +50, and 44% received negative scores, indicating they have dangerously weak password requirements.
Of greater concern was that nearly 1/3 (32%) allow users to use 10 of the most common (and weakest) passwords as their password. This means users on sites such as REI, Wayfair, Walmart, and Amazon can use easily guessable and unsafe passwords, such as 'password', 'abc123', and '123456'.
For the third time in a row, Apple received a perfect score and was the highest ranked site in the Dashlane study. Apple requires long, complex alphanumeric passwords, and does not accept easily hackable passwords. Several notable sites also have strong password requirements, including Target, ToysRUs, Best Buy, and Bed Bath and Beyond.
"Apple's password security policies should serve as the gold standard for online retailers," says Schalit. "By requiring their customers to create strong passwords they are ensuring they have a strong first line of defense. We applaud other retailers, such as Best Buy and Target, who have also made great strides towards in making password security a priority."
- Progress: 2014 vs. 2015
The Ecommerce Roundup is Dashlane's third security roundup since 2014. The 2015 Ecommerce Roundup was more focused on only the top retailers. A comparison can be made between the previous editions as the majority of the testing criteria remained the same and many of the same sites were examined.
There were some improvements in the performance of the websites:
- The percentage of sites with negative scores decreased from 53% to 44%
- The percentage of sites that allow 10+ brute force logins decreased from 51% to 35%
- The percentage of sites that accept the ten worst passwords decreased from 43% to 32%
- The percentage of sites that scored below +50 decreased from 86% to 80%
Two examples of sites improving their scores with better password policies were Best Buy and Overstock. Both retailers saw their scores increase because they required their users to create more complex and secure passwords.
"It is encouraging to see positive password security trends in the world of ecommerce," says Schalit. "Yet, while the numbers indicate retailers are moving in the right direction, much work remains. It's 2015, so no website has an excuse for not implementing security policies that will better secure their users."