Watch CBSN Live

Amazon, Macy's score low in password security study

When deciding which web sites and web services to patronize, you probably don’t consider their password security policies. But as a recent study shows, perhaps it’s something you should take into account.

Recently, password manager vendor Dashlane studied what it considered to be the top 100 e-commerce websites, specifically looking to assess their security policies. The resulting report ranked the sites from best to worst, and called out especially bad performers.

Here are some general results:

  • More than half – 55 percent – of e-commerce sites accept weak passwords like “password” or “123456”.
  • Also more than half – 51 percent – do not block incorrect entries, even after 10 tries.
  • Only about 10 percent of the surveyed sites met Dashlane’s criteria for enforcing strong passwords.

  • Some of the best sites in the Dashlane study were Apple, Microsoft, Newegg, and Target. At the bottom of the list were sites like 1-800-Flowers, J. Crew, Toys R Us, and MLB. And while you as a user can easily work around some poor password policies – even if a site doesn’t require a strong password, for example, you can still create one yourself – some of these sites have policies that are downright dangerous.  1-800-Flowers, J. Crew, and Toys R Us, for example, send you your passwords in plain text via email – that’s downright reckless.

  • Among the other "notable" sites with low scores were Macy's, Amazon, and Walmart. These sites scored low primarily because they allow more than 10 log-in attempts without locking out the user.

What precautions can you take to protect yourself despite lax password policies at sites you frequent? Here’s a summary of what it takes to keep your passwords secure online:

  • First and foremost, don’t re-use passwords at different websites. No matter how strong you make a password, if it gets compromised at one site, you don’t want that to unlock other sites as well.
  • Password strength comes from length, not overall complexity. Make it at least 8 characters long, and the longer the better (though many sites limit password length).
  • Combine upper and lowercase, numbers, and symbols. Also, use less common symbols – exclamation points are so commonly used in passwords that they are factored into password hacking as if they were an ordinary character.
  • Use a password manager to track your passwords. It’s far better to use a program like LastPass, Roboform, or Dashlane than to write down a password or repeat it for ease of memorization.
  • If you’re creating a password yourself, refer to a password strength meter to assess its relative strength. Microsoft offers one, for example. Another alternative: Most password managers will generate a strong password for you.
  • As many security experts have pointed out, pass phrases – long chains of common words – are far more secure than an 8 or 12-character string of letters and numbers. If a site supports it – especially a site that has your financial information – use that instead.
  • Finally, if you have the option, rely on a site’s two factor authentication. That’s a system in which you need to enter both a password and some other form of security, such as a code that’s texted to your phone. Sites like Google, Twitter, Facebook, and PayPal support two factor authentication when you try to log in on a device that’s different than your usual PC or phone.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.