Amazon, Macy's score low in password security study

James Martin/CNET

When deciding which web sites and web services to patronize, you probably don’t consider their password security policies. But as a recent study shows, perhaps it’s something you should take into account.

Recently, password manager vendor Dashlane studied what it considered to be the top 100 e-commerce websites, specifically looking to assess their security policies. The resulting report ranked the sites from best to worst, and called out especially bad performers.

Here are some general results:

  • More than half – 55 percent – of e-commerce sites accept weak passwords like “password” or “123456”.
  • Also more than half – 51 percent – do not block incorrect entries, even after 10 tries.
  • Only about 10 percent of the surveyed sites met Dashlane’s criteria for enforcing strong passwords.

  • Some of the best sites in the Dashlane study were Apple, Microsoft, Newegg, and Target. At the bottom of the list were sites like 1-800-Flowers, J. Crew, Toys R Us, and MLB. And while you as a user can easily work around some poor password policies – even if a site doesn’t require a strong password, for example, you can still create one yourself – some of these sites have policies that are downright dangerous.  1-800-Flowers, J. Crew, and Toys R Us, for example, send you your passwords in plain text via email – that’s downright reckless.

  • Among the other "notable" sites with low scores were Macy's, Amazon, and Walmart. These sites scored low primarily because they allow more than 10 log-in attempts without locking out the user.

What precautions can you take to protect yourself despite lax password policies at sites you frequent? Here’s a summary of what it takes to keep your passwords secure online:

  • First and foremost, don’t re-use passwords at different websites. No matter how strong you make a password, if it gets compromised at one site, you don’t want that to unlock other sites as well.
  • Password strength comes from length, not overall complexity. Make it at least 8 characters long, and the longer the better (though many sites limit password length).
  • Combine upper and lowercase, numbers, and symbols. Also, use less common symbols – exclamation points are so commonly used in passwords that they are factored into password hacking as if they were an ordinary character.
  • Use a password manager to track your passwords. It’s far better to use a program like LastPass, Roboform, or Dashlane than to write down a password or repeat it for ease of memorization.
  • If you’re creating a password yourself, refer to a password strength meter to assess its relative strength. Microsoft offers one, for example. Another alternative: Most password managers will generate a strong password for you.
  • As many security experts have pointed out, pass phrases – long chains of common words – are far more secure than an 8 or 12-character string of letters and numbers. If a site supports it – especially a site that has your financial information – use that instead.
  • Finally, if you have the option, rely on a site’s two factor authentication. That’s a system in which you need to enter both a password and some other form of security, such as a code that’s texted to your phone. Sites like Google, Twitter, Facebook, and PayPal support two factor authentication when you try to log in on a device that’s different than your usual PC or phone.