Two-thirds of top e-commerce sites still accept the weakest passwords, such as “123456” and “password”, without warning users that these are the very first passwords hackers will use in attempts to breach their accounts, according to a survey of 100 leading sites by password manager company Dashlane.
Two-thirds of the British companies surveyed, including Amazon UK, make no attempt to block users after 10 incorrect password entries. This could allow hackers to run malicious software which attempts multiple log-ins in an effort to breach user accounts.
The survey, which focused on 100 e-commerce sites in the UK, found that one-quarter of sites still emailed passwords in plain text, and that 60% of sites still failed to advise users on creating stronger passwords.
“It’s clear that it’s time for companies to implement better password security, which can be done cheaply and quickly using open-source technology,” the company’s Ashley Thurston writes. “On the flip side, consumers can protect themselves by creating strong passwords that are long (more than 8 characters), complex (include a letter, number, a mix of upper and lower case letters, and/or symbols).”
The survey rated companies +1 and -1 for criteria such as requiring alphanumeric passwords, emailing users when a password was changed, and using a password-strength meter to show users when they had chosen a strong password, to arrive at a total score between 100 and -100. Overall, Apple scored highest for good security practice.
The current survey is a companion to Dashlane’s previous surveys of U.S. e-commerce sites, which performed slightly better than UK companies across virtually all categories, as shown in Dashlane’s detailed breakdown here. As The Register notes, the UK results are more encouraging than those from France, where nearly one in two sites send passwords and account confirmations via email in plain text.
Veteran security writer Graham Cluley details some of the difficulties in persuading users to practise good password hygiene – and some solutions, in a We Live Security blog post here.