According to a new report by password manager and digital wallet developer Dashlane, the companies you shop with online are woefully incapable of providing adequate protection. You might not be altogether surprised at this news, but you shouldn’t fall into the apathetic trap.
Many of these retailers owe their entire being to the Internet, yet are incapable of following even the most basic of good data practices. In short, you seriously might want to rethink where you are spending your money online.
The Dashlane Report
Dubbed “The Illusion of Personal Data Security in E-Commerce”, the January 24 report is the first of a series of quarterly reports that’s set to get you fired up about the way online retailers deal with data. Dashlane is responsible for a password manager and digital wallet app of the same name, and while they have a vested interest in security nightmares, we can be confident that the firm knows a thing or two about best security practices.
You might expect that from some of the largest retailers on the web too, but you’d be wrong. While compiling their report Dashlane epitomised some of the worst security habits of users and companies alike, then put them to the test. These techniques included using a list of well-known simple passwords while signing up (think “password” and “123465”), repetitively logging in with incorrect credentials (flooding) and using the account’s existing password to “reset” access.
But users are only a small portion of the wider problem, and retailers were put under even greater scrutiny. Stringent criteria included mandatory password length and complexity, whether or not emails are sent on account creation and password change and if there are measures in place to help users create strong passwords. The report was scored from 100 to -100, with points deducted for poor practices.
This is a report looking at the state of online retailers, hence “e-commerce” in the title. For that reason, you won’t find Facebook, Google, Twitter or many of your other favourite online services among the results.
It’s not all bad news. None of the companies chosen refuse to mask the password field on account creation, for example (you have to take the small victories). And much of the time reports like this highlight the companies doing well. Companies like Apple – everyone loves Apple, right?
Personal bias aside, they were the only company featured in the report to receive a perfect “100” – which means they ticked every single box asked of them. And as many of you know, Apple’s retail accounts are shared with its wider “Apple ID” login system, so these practices are shared between both sides of the business.
Apple’s perfect score means they’re doing pretty much all they can to keep your data safe and your account in your hands only, including educating new account sign ups about the benefits of a strong password, enforcing mixed case passwords and ensuring a new password is generated when users hit up the “forgot password” link. Apple were followed by Microsoft, Newegg and Chegg who each scored a positive 65.
Microsoft and Newegg both lost points for not including a password strength gauge, while Chegg only required a password length of six characters. Recent point-of-sale malware victims Target came up trumps too, scoring a solid 60 – with points docked for not educating users about strong passwords and some lax flooding control.
There were also some other big names pulling in scores of 30 or above, including Best Buy, Walgreens, Nike and Williams-Sonoma. These are good results, and while the companies shouldn’t rest on their laurels, you can do far worse from an online security standpoint.
Of the 100 retailers featured, eight returned passwords to users in plaintext. Of those eight, three – 1-800-Flowers.com, Blue Nile and Karmaloop – included the username or email associated with that account. Toys R Us, J.Crew, Dick’s Sporting Goods and Aeropostale are the other guilty parties, and that means their passwords are being stored in plaintext too.
Around 60% of retailers allow most widely accepted “bad” passwords – of which 70% were happy with “abc123”. Some of the big names happy to let customers open accounts using “password” include Amazon, Staples and Walmart. Those companies actually have no safeguards whatsoever in place to protect against weak passwords, because they happily accept “qwerty” and “letmein” too.
If I’ve just mentioned your password, please: change it.
Flood control is another poorly implemented measure across-the-board. Amazon come out unfavourably again, allowing 10 or more incorrect login attempts without locking the account. Shocking as it may be, the Internet’s largest retailer isn’t alone: Dell, Best Buy, Macy’s, Toys R Us and Vistaprint are all blissfully in denial about flood attacks (to name but a few).
In general the results aren’t good, particularly as the biggest problems seem to be present with the biggest retailers. A score of -30 or below is considered bad, and companies who hit this low point include the web’s busiest retailer Amazon, supermarket behemoth Walmart and hugely popular discount site Groupon. Other poor performances came from Macy’s, Hulu, Disney and Amazon-alternative Barnes and Noble.
What About Us?
A report about the measures put in place by online retailers only says so much about a greater problem – lax security practices, much of the time on our part too. There’s only so much you can do to protect yourself from identity and credit card fraud, or losing access to an account full of purchases, so why not ensure you’ve ticked all of the boxes?
There wouldn’t be a need to test against known bad passwords if people weren’t still using them, so don’t. The man who uses a different password for each service he signs up for never worries when a security breach is exposed, so do as he does and never re-use passwords. And why think up passwords, when you can generate them securely?
Having to remember more passwords than you have fingers gets tough, and so you should turn to a password manager to make your life easier. Dashlane provides just that – free and cross-platform I might add – and we were rather fond of it in our review. Don’t forget about the completely free KeePass or the pricey, but feature-packed, 1Password either. All of these solutions remember passwords, so you don’t have to – just one “master” password.
The Bottom Line
The biggest problem with many of the issues raised by this report is the fact that retailers are still not helping their most vulnerable customers – those who don’t understand the benefits of not using the same password multiple times, or don’t give a second thought to an easy-to-guess password. The other problem is that known problems – like sending passwords in plain text, or allowing an unlimited number of incorrect logins – continue to go unaddressed.
The best way to let such companies know how you feel about their disdain for your personal data is to simply not shop there. As consumers in a jungle of choice, our loudest roar is heard when we open our wallets, so by choosing to not spend any money you’re no longer contributing towards the general feeling of apathy when it comes to security in the digital age.
Hopefully the retailers shamed by their poor practices have already started to review their approach to security online, and by the next report things will already look considerably better. Dashlane’s full report is available to download, so check it out if you’re concerned or simply interested in the full set of data.
Surprised? Outraged? Nonplussed? Hit the comments and unleash your vitriol (or say something nice), below.