Recent security breaches lead the news and consumers are increasingly suspicious of possible credit card fraud. When it comes to data security, retailers run the gamut from perfect to poor.
The keys that protect consumers' personal data are the passwords they use for retail sites, and weak passwords can prove disastrous for personal data security. Dashlane ranks the top 100 e-retailers' password policies and reveals some concerns in the first edition of its quarterly Personal Data Security Roundup. The roundup findings suggest that some of the top e-commerce sites in the U.S. fail to implement basic password policies that could adequately protect their users' personal data.
Apple received the highest rating and was the only retailer to receive a perfect score. Amazon (NASDAQ: AMZN), Walmart (NYSE: WMT), Victoria's Secret (NYSE: LB) and Toys "R" Us were among the lowest ranked sites as they all received scores of -35 or below.
The roundup assesses the password policies of the top 100 e-commerce sites in the U.S. by examining 24 different password criteria that Dashlane has identified as important to online security, and awarding or docking points depending upon whether a site meets a criterion or not. Each criterion is given a plus or minus point value, leading to a possible total score between -100 and 100 for each site.
Approximately 55 percent of online retailers still accept weak passwords such as "123456" or "password;" 51 percent make no attempt to block entry after 10 incorrect password entries (including Amazon, Dell, Best Buy (NYSE: BBY), Macy's (NYSE: M) and Williams-Sonoma (NYSE: WSM); and 64 percent have highly questionable password practices (receiving a negative total score in the roundup).
The majority of retailers surveyed (61 percent) do not provide any advice on how to create a strong password during signup, and 93 percent do not provide an on-screen password strength assessment. Only 10 percent scored above the threshold for good password policies and eight sites, including Toys "R" Us, J.Crew and 1-800-Flowers.com, send passwords in plain text via email
Apple (NASDAQ: AAPL) received the highest rating and was the only retailer to receive a perfect score. Newegg, Microsoft (NASDAQ: MSFT) and Chegg textbook rentals tied for second place, and Target (NYSE: TGT) rounded out the top three.
These findings are troubling, particularly when examined in the context of numerous recent online security issues at major retailers such as Starbucks. They suggest that some of the top e-commerce sites fail to implement basic password policies that could adequately protect their users' personal data.
The majority of sites accept weak or common passwords, most don't require a mix of letters and numbers, and many allow passwords with six characters or less. Major League Baseball even allows users to use the word "baseball" as their password.
The list of bad practices goes on and on. Sites don't lock users' accounts after repeated failed access attempts. One of the easiest methods hackers use to break into an account is the automated entry of commonly used passwords. Restricting account access after multiple incorrect entries is a simple way to curb this tactic.
It's easy to see how simple it is for hackers to access shoppers' passwords and breach retailers' security at this level.
-See this report
More Target trouble: Jobs slashed amid reports the breach could have been prevented
Target invests $5 million in security education, offers free credit monitoring to customers for 1 year
Target data breach gets worse, 110 million shoppers at risk
Target now says 70 million people affected by breach
Target admits encrypted PIN data was stolen in data breach