Given the recent data breach at Target -- where more than 100 million customers' credit card information was stolen -- consumers who like to frequent and shop at Apple.com might be glad to know that when it comes to e-retail security, Apple is top-notch.
The news comes from Dashlane research, which took a look at the password policies of the top 100 e-retailers in the US from January 17 through January 22.
The roundup assesses the password policies of the top 100 e-commerce sites in the US by examining 24 different password criteria that Dashlane has identified as important to online security, and awarding or docking points depending upon whether a site meets a criterion or not. Each criterion is given a +/- point value, leading to a possible total score between -100 and 100 for each site.
When the dust settled, Apple sat atop the list with a perfect score of 100. Notably, the rest of the competition trailed far behind, with Newegg, Microsoft and Chegg tying for second place with a score of 65. Target, meanwhile, came in third with a score of 60.
In assessing the password policies of various e-retailers, one of the metrics the study looked at was how stringent the password-creation policies were at each particular site. For instance, the study found that more than 55 percent of retailers allow users to pick common passwords such as "password," "123456" and "12345678." Further, a whopping 70 percent of e-retailers let customers choose the password, "abc123."
Compounding matters, only 61 percent of sites informed users on how to create a strong password, while "93 percent do not provide an on-screen password strength assessment."
The study also looked at how each e-retailer handled multiple incorrect login attempts. Surprisingly, a number of big-name retailers -- including Amazon, Macy's and Best Buy -- all allow users to re-enter their login credentials even after 10 failed attempts.
This is a particularly interesting data point to look at because e-retailers often struggle to find the right balance between password security and avoiding a burdensome user experience.
On this note, Dan Goodin of Ars Technica brings up a good point regarding areas where Dashlane's research could have provided more depth:
The study also didn't gauge several important criteria that are crucial for safeguarding passwords. For instance, do any of the sites allow users to enter passwords through unencrypted HTTP connections? Are password reset links available in HTTP? Do any of the sites allow users to reset passwords using easily guessed security questions? And are passwords hashed using a slow algorithm such as PBKDF2 when they're stored in databases? Also, as Ars has explained before, many meters gauging the strength of user passwords aren't worth the bits they run on. Poorly implemented meters do users a disservice by giving them a false sense of security. Dashlane researchers do nothing to separate effective ones from ineffective ones. Also noticeably absent is any measure of which sites offer two-factor authentication.
Lastly, the study further highlighted which big-name e-retailers achieved scores at or below minus 30. This grouping includes sites like Amazon, Walmart, Groupon, Disney and Ralph Lauren.
Via Ars Technica