Feb. 13, 2014
CBS MoneyWatch - When deciding which web sites and web services to patronize, you probably don’t consider their password security policies. But as a recent study shows, perhaps it’s something you should take into account.
Recently, password manager vendor Dashlane studied what it considered to be the top 100 e-commerce websites, specifically looking to assess their security policies. The resulting report ranked the sites from best to worst, and called out especially bad performers.
Here are some general results:
- More than half – 55 percent – of e-commerce sites accept weak passwords like “password” or “123456”.
- Also more than half – 51 percent – do not block incorrect entries, even after 10 tries.
- Only about 10 percent of the surveyed sites met Dashlane’s criteria for enforcing strong passwords.
- Some of the best sites in the Dashlane study were Apple, Microsoft, Newegg, and Target. At the bottom of the list were sites like 1-800-Flowers, J. Crew, Toys R Us, and MLB.
- Among the other "notable" sites with low scores were Macy's, Amazon, Overstock.com and Walmart. These sites scored low primarily because they allow more than 10 log-in attempts without locking out the user.
What precautions can you take to protect yourself despite lax password policies at sites you frequent? Here’s a summary of what it takes to keep your passwords secure online:
- First and foremost, don’t re-use passwords at different websites. No matter how strong you make a password, if it gets compromised at one site, you don’t want that to unlock other sites as well.
- Password strength comes from length, not overall complexity. Make it at least 8 characters long, and the longer the better (though many sites limit password length).
- Combine upper and lowercase, numbers, and symbols. Also, use less common symbols – exclamation points are so commonly used in passwords that they are factored into password hacking as if they were an ordinary character.
- Use a password manager to track your passwords. It’s far better to use a program like LastPass, Roboform, or Dashlane than to write down a password or repeat it for ease of memorization.
- If you’re creating a password yourself, refer to a password strength meter to assess its relative strength. Microsoft offers one, for example. Another alternative: Most password managers will generate a strong password for you.
- As many security experts have pointed out, pass phrases – long chains of common words – are far more secure than an 8 or 12-character string of letters and numbers. If a site supports it – especially a site that has your financial information – use that instead.
- Finally, if you have the option, rely on a site’s two factor authentication. That’s a system in which you need to enter both a password and some other form of security, such as a code that’s texted to your phone. Sites like Google, Twitter, Facebook, and PayPal support two factor authentication when you try to log in on a device that’s different than your usual PC or phone.
The comments sections of Newsplex.com are designed for thoughtful, intelligent conversation and debate. We want to hear from our viewers, but we only ask that you use your best judgment. E-mail is required, but will not be displayed with comment.
As a host Newsplex.com welcomes a wide spectrum of opinions. However this is a site that we host. We have a responsibility to all our readers to try to keep our comment section fair and decent. For that reason The Newsplex reserves the right to not post or to remove any comment.
If you have any ideas to improve the conversation or this section let us know. Send an e-mail to firstname.lastname@example.org.
powered by Disqus