UK’s biggest online retailers are putting customers at risk with poor password policies

As news comes that two thirds of shoppers will make their Christmas shopping purchases online in a year of major security breaches, a new study from password manager Dashlane has revealed that the majority of the UK's most popular e-commerce sites have inedquate password policies.

80% of the sites examined did not meet the minimum score of +50 and 52% received negative scores, meaning that they had exceptionally weak password requirements.

Those who didn't meet the minimum score don't require users to have a capital letter and a number/symbol combination, and 56% of sites allow users to have passwords less than eight letters long.

> See also: Why bad passwords aren't the problem – it's the people who make them

And a shocking 16% of them allow users to have the ten most common passwords, including 'password,' 'abc123' and '12345.' 

The weakest sites assessed were Asda Groceries, River Island, Amazon UK, Debenhams and Wickes.

'A strong password is one that is at least eight characters long, and contains letters, as well as numbers or symbols,' said Dashlane CEO Emmanuel Schalit. 'This complexity is what keeps hackers from easily guessing your password and accessing your account.'

Although the majority of sites performed poorly, there were a select few who achieved high scores. For the third time in a row, Apple received a perfect score and was the highest ranked site in the Dashlane study. Apple requires long, complex alphanumeric passwords, and does not accept easily hackable passwords.

Several notable sites also have strong password requirements, including Boots, John Lewis, and Very.

> See also: Are Millennials more careless with passwords?

'Apple’s password security policies should serve as the gold standard for online retailers,' added Schalit. 'By requiring their customers to create strong passwords they are ensuring they have a strong first line of defense. We applaud other retailers, such as Boots and John Lewis, who have also made great strides towards in making password security a priority.'

Passwords are the first line of defense to keep personal data safe online. It is extremely easy for even the most basic website to implement strong password requirements, yet some of UK’s largest online retailers are leaving their users exposed due to weak password requirements.

But although this picture isn't too promising, there were some overall improvements. The percentage of sites that require a letter and/or number or symbols increased from 42% to 72%. Some of these included Ebay and House of Fraser, whose scores both rose after their password requirements became stricter. And the number of sites that allow 10+ brute force logins decreased from 57% to 40%.

'It is encouraging to see positive password security trends in the world of e-commerce,' said Schalit. 'Yet, while the numbers indicate retailers are moving in the right direction, much work remains. Given that it’s 2015, no website, regardless of how large or small it is, has an excuse for not implementing security policies that will better secure their users, as well as maintain the integrity of the brand by protecting the company from malicious attacks.'

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

E-commerce