Pinterest Stumbleupon Whatsapp

According to a new report by password manager and digital wallet Dashlane - A Slick New Password Manager, Form Filler & Online Shopping Assistant Dashlane - A Slick New Password Manager, Form Filler & Online Shopping Assistant If you've tried a few password managers before, you've probably learned to expect some roughness around the edges. They're solid, useful applications, but their interfaces can be overly complex and inconvenient. Dashlane doesn’t just reduce... Read More developer Dashlane, the companies you shop with online are woefully incapable of providing adequate protection. You might not be altogether surprised at this news, but you shouldn’t fall into the apathetic trap.

Many of these retailers owe their entire being to the Internet, yet are incapable of following even the most basic of good data practices. In short, you seriously might want to rethink where you are spending your money online.

The Dashlane Report

Dubbed “The Illusion of Personal Data Security in E-Commerce”, the January 24 report is the first of a series of quarterly reports that’s set to get you fired up about the way online retailers deal with data. Dashlane is responsible for a password manager and digital wallet app of the same name, and while they have a vested interest in security nightmares, we can be confident that the firm knows a thing or two about best security practices.

You might expect that from some of the largest retailers on the web too, but you’d be wrong. While compiling their report Dashlane epitomised some of the worst security habits of users and companies alike, then put them to the test. These techniques included using a list of well-known simple passwords while signing up (think “password” and “123465”), repetitively logging in with incorrect credentials (flooding) and using the account’s existing password to “reset” access.

But users are only a small portion of the wider problem, and retailers were put under even greater scrutiny. Stringent criteria included mandatory password length and complexity, whether or not emails are sent on account creation and password change and if there are measures in place to help users create strong passwords. The report was scored from 100 to -100, with points deducted for poor practices.


This is a report looking at the state of online retailers, hence “e-commerce” in the title. For that reason, you won’t find Facebook, Google, Twitter or many of your other favourite online services among the results.

The Good

It’s not all bad news. None of the companies chosen refuse to mask the password field on account creation, for example (you have to take the small victories). And much of the time reports like this highlight the companies doing well. Companies like Apple – everyone loves Apple, right?

Personal bias aside, they were the only company featured in the report to receive a perfect “100” – which means they ticked every single box asked of them. And as many of you know, Apple’s retail accounts are shared with its wider “Apple ID” login system, so these practices are shared between both sides of the business.

Apple’s perfect score means they’re doing pretty much all they can to keep your data safe and your account in your hands only, including educating new account sign ups about the benefits of a strong password, enforcing mixed case passwords and ensuring a new password is generated when users hit up the “forgot password” link. Apple were followed by Microsoft, Newegg and Chegg who each scored a positive 65.

Microsoft and Newegg both lost points for not including a password strength gauge, while Chegg only required a password length of six characters. Recent point-of-sale malware victims Target came up trumps too, scoring a solid 60 – with points docked for not educating users about strong passwords and some lax flooding control.

There were also some other big names pulling in scores of 30 or above, including Best Buy, Walgreens, Nike and Williams-Sonoma. These are good results, and while the companies shouldn’t rest on their laurels, you can do far worse from an online security standpoint.

The Bad

Of the 100 retailers featured, eight returned passwords to users in plaintext. Of those eight, three –, Blue Nile and Karmaloop – included the username or email associated with that account. Toys R Us, J.Crew, Dick’s Sporting Goods and Aeropostale are the other guilty parties, and that means their passwords are being stored in plaintext too.

Around 60% of retailers allow most widely accepted “bad” passwords – of which 70% were happy with “abc123”. Some of the big names happy to let customers open accounts using “password” include Amazon, Staples and Walmart. Those companies actually have no safeguards whatsoever in place to protect against weak passwords, because they happily accept “qwerty” and “letmein” too.

If I’ve just mentioned your password, please: change it.

Flood control is another poorly implemented measure across-the-board. Amazon come out unfavourably again, allowing 10 or more incorrect login attempts without locking the account. Shocking as it may be, the Internet’s largest retailer isn’t alone: Dell, Best Buy, Macy’s, Toys R Us and Vistaprint are all blissfully in denial about flood attacks (to name but a few).

In general the results aren’t good, particularly as the biggest problems seem to be present with the biggest retailers. A score of -30 or below is considered bad, and companies who hit this low point include the web’s busiest retailer Amazon, supermarket behemoth Walmart and hugely popular discount site Groupon. Other poor performances came from Macy’s, Hulu, Disney and Amazon-alternative Barnes and Noble.

What About Us?

A report about the measures put in place by online retailers only says so much about a greater problem – lax security practices, much of the time on our part too. There’s only so much you can do to protect yourself from identity and credit card fraud, or losing access to an account full of purchases, so why not ensure you’ve ticked all of the boxes?

There wouldn’t be a need to test against known bad passwords if people weren’t still using them, so don’t. The man who uses a different password for each service he signs up for never worries when a security breach is exposed, so do as he does and never re-use passwords. And why think up passwords, when you can generate them securely 5 Free Password Generators For Nearly Unhackable Passwords 5 Free Password Generators For Nearly Unhackable Passwords Read More ?

Having to remember more passwords than you have fingers gets tough, and so you should turn to a password manager to make your life easier. Dashlane provides just that – free and cross-platform I might add – and we were rather fond of it in our review. Don’t forget about the completely free KeePass KeePass Password Safe – The Ultimate Encrypted Password System [Windows, Portable] KeePass Password Safe – The Ultimate Encrypted Password System [Windows, Portable] Securely store your passwords. Complete with encryption and a decent password generator – not to mention plugins for Chrome and Firefox – KeePass just might be the best password management system out there. If you... Read More or the pricey, but feature-packed, 1Password Let 1Password for Mac Manage Your Passwords & Secure Data Let 1Password for Mac Manage Your Passwords & Secure Data Despite the new iCloud Keychain feature in OS X Mavericks, I still prefer the power of managing my passwords in AgileBits's classic and popular 1Password, now in its 4th version. Read More  either. All of these solutions remember passwords, so you don’t have to – just one “master” password.

The Bottom Line

The biggest problem with many of the issues raised by this report is the fact that retailers are still not helping their most vulnerable customers – those who don’t understand the benefits of not using the same password multiple times, or don’t give a second thought to an easy-to-guess password. The other problem is that known problems – like sending passwords in plain text, or allowing an unlimited number of incorrect logins – continue to go unaddressed.

The best way to let such companies know how you feel about their disdain for your personal data is to simply not shop there. As consumers in a jungle of choice, our loudest roar is heard when we open our wallets, so by choosing to not spend any money you’re no longer contributing towards the general feeling of apathy when it comes to security in the digital age.

Hopefully the retailers shamed by their poor practices have already started to review their approach to security online, and by the next report things will already look considerably better. Dashlane’s full report is available to download, so check it out if you’re concerned or simply interested in the full set of data.

Surprised? Outraged? Nonplussed? Hit the comments and unleash your vitriol (or say something nice), below.

Image credit: A Lesson In Security (pbkwee)Apple Store (Håkan Dahlström)

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Rachel Gillevet
    February 6, 2014 at 8:48 pm

    Hey Tim,
    I thought this was a really nice article. There needs to be a greater focus on data security in not only eCommerce, but pretty much all online activity. I thought this would be a valuable post for my readers, so I included it on my roundup of January's best security, web design/development, and CMS content.

  2. Richard Palmer
    January 31, 2014 at 3:12 pm

    Reply to Dragonmouth
    I use a virtual credit card facility provided by my French bank. The card is created for the amount needed for the purchase and with expiry in 2 months.
    But I note that on the Amazon site you can delete your credit card details. I have found this option on other sites also.

    • dragonmouth
      February 2, 2014 at 9:24 pm

      "But I note that on the Amazon site you can delete your credit card details. I have found this option on other sites also."

      That is a logical delete, not a physical delete. The data is deleted from your screen but not from the database. How else can you be getting offers and solicitations from companies that you supposedly severed contact with months before? Very little is ever expunged from databases of retailers.

  3. John Everett
    January 30, 2014 at 7:31 pm

    It's pretty easy to make e-commerce sites the bogeyman here, but the fact remains, the vast majority of credit card fraud happens in the stores and in the street.

    • Tim B
      January 30, 2014 at 10:30 pm

      Definitely John, but this is more about personal data – things like your address, date of birth and so on – that can be used in other attacks, for social engineering purposes or in cases of identity fraud.

      Credit cards are pretty safe on the whole, if anyone steals yours you only need to make a phonecall and the money is generally returned to you straight away. I lost £1300 overnight once, and it was back in my account by 9am (cloned card).

  4. Shade
    January 30, 2014 at 6:40 pm

    Another password manager worth mentioning is LastPass. I've had great experiences with them, but as with any password manager, make your master password stupidly long and complex, and don't forget about 2-factor if it's offered.

  5. Richard Palmer
    January 30, 2014 at 5:42 pm

    The bottom line is DO NOT leave your credit card details on any e-commerce site.

    • dragonmouth
      January 31, 2014 at 12:48 pm

      And how do you propose to do THAT?!

      If you e-shop, you have to provide your credit card details, otherwise the e-tailer will not sell you anything. And once you provide the details, they are recorded in the e-tailer's database forever. You cannot un-ring the bell.

  6. dragonmouth
    January 30, 2014 at 5:39 pm

    "Many of these retailers owe their entire being to the Internet, yet are incapable of following even the most basic of good data practices.."
    "Incapable" or "unwilling"? It costs money to develop. implement AND maintain good data security. For most, if not all, companies profit is priority #1,#2 and #3 and nothing else counts.

    "The best way to let such companies know how you feel about their disdain for your personal data is to simply not shop there."
    Simply not to shop there is not an answer unless you can get millions of people to do that AND let the company(ies) know why. And that just ain't happening! People shop online because of the convenience and a 10,15 or 20 byte passwords with upper, lower case letters, numbers and special characters are definitely not convenient. Besides, no customer thinks that THEIR account will be hacked.

    Inasmuch we want to blame the online retailers, the customers are at fault, too. If they demanded that only complicated passwords be allowed, I'm sure the retailers would implement them. However, it goes back to "convenience." Customers want to sign in, fill their carts and check out with the minimum of hassle and maximum of speed. Security is a hassle.

    • Tim B
      January 30, 2014 at 10:27 pm

      I think your comment goes a little easy on the retailers. It's the retailers who are using the Internet as (in many cases, but not all) a primary means of revenue. The fact that their security practices have conformed to consumer expectations doesn't absolve them of responsibility – in fact it highlights complacency and unprofessionalism. Imagine if car manufacturers or legal representatives did the bare minimum too – nobody would stand for it. So why is e-commerce any different, just because it's money rather than life or a jail sentence on the line?

      With regards to "not shopping there doesn't do anything unless we all don't shop there" well yes, but you've overlooked the fact that I've taken the opportunity to highlight the issue on a fairly well-read blog. So while me and you not shopping there won't make a dent, if a few hundred other readers follow suit then we might have made a little dent for ourselves. Besides, the principle of these things is often far more important than any perceived outcome.

      I didn't absolve the customers completely, but the fact remains that the report focuses mostly on the retailers. It's a scrutiny of retailer security, rather than common bad practices. And, like it or not, there's far far more for retailers to work on than simply learning to come up with more secure passwords. Things like not returning usernames and passwords in plaintext and basic flood control are not difficult or expensive to implement, and it shouldn't be necessary to remind people of that.

    • dragonmouth
      January 31, 2014 at 1:37 pm

      "I think your comment goes a little easy on the retailers"
      Really? You think saying that e-tailers do not want to implement security measures because it would cost them money, is "going little easy on retailers"?

      "if a few hundred other readers follow suit then we might have made a little dent for ourselves."
      Do you really think Amazon would really notice if a couple of hundred or even couple of thousand customers stopped shopping there??? Does an elephant notice a flea bite? An e-tailer like Amazon, that does hundreds of millions of dollars of business annually, would have to lose millions in sales before they noticed it as a trend. But you missed my point. You not only have to stop shopping there but you also have to let the individual in charge (Jeff Bezos in case of Amazon) know WHY you have stopped.

      Popular and powerfull as your blog is and as convincing as you are, do you think you can influence enough people to change their shopping habits to cause the offending e-tailers to lose millions of dollars of sales? If you examine the successful boycots of companies in the past, you will notice that the reason(s) for the boycot were very well publicized. To get the e-tailers to improve their security, you have to let the whole world know that is why you are boycotting them.