A new report from Dashlane, known for its password manager software, highlights the password security at many of the UK’s leading e-commerce websites and it doesn’t make pretty reading.
The study revealed several concerns, the worst of which is the fact that 66% of the websites examined allowed the weakest of the weak passwords, such as “123456” and “password.” Considering how widely such poor passwords are used, it is likely that anyone trying to gain access to an account would try them first!
The same number – 66% – also allowed users to repeatedly try passwords. By not limiting password attempts the sites are allowing the use of automated password cracking software. Some of the offenders in this area are well-known names such as Amazon, Tesco and Next.
Only 60% of the top 100 e-commerce sites offered any kind of advice to users on how to set up a strong password. Its sad that advice is needed but such messages can prompt people to use something more secure than they otherwise would. Similarly, password strength meters can play a part in encouraging more secure passwords to be used but these were only present on 14% of the sites looked at.
Another shocking figure is the revelation that a quarter of the top 100 sites are sending passwords via email in plain text which is incredibly insecure. Offenders here include The Body Shop and Superdrug.
Dashlane looked at 26 aspects of password security in all and gave each site a points score via a + and – system. With a score range of -100 to +100 it was determined that Apple performed best overall with Travelodge UK and B&Q (diy.com) rounding off the top 3:
At the other end of the scale the scores were pretty awful with Urban Outfitters (-60), Holland & Barret (-50) and Teletext Holidays (-50) making up the worst 3 sites for password security:
This latest report from Dashlane follows on from similar research performed in the US and France in recent weeks. A comparison shows that approaches to website passwords are broadly similar to the US but significantly better than in France where it is seemingly quite common for credentials to be emailed in plain text.
Speaking about the findings Dashlane’s community manager, Ashley Thurston, said:
“It’s clear that it’s time for companies to implement better password security, which can be done cheaply and quickly using open-source technology. On the flip side, consumers can protect themselves by creating strong passwords that are long (more than 8 characters), complex (include a letter, number, a mix of upper and lower case letters, and/or symbols).”
Does your business website allow your customers to use weak passwords, or does it fail in any of the other areas above? If so, now is the time to do something about it.