Many U.S. retailers’ online sites fail to enforce basic password policies to protect customers’ personal data.
Target Corp. may be engulfed in data security issues, but the strength of customer passwords at Target.com isn’t likely one of them.
The Minneapolis-based retailer tied for No. 4 in the nation for its online customer password policies, according to a first-ever study by the company Dashlane Inc., scoring 60 of 100 possible points. Only Apple Inc., at No. 1., scored a perfect 100.
Best Buy Co. Inc. tied for No. 11 with a score of 40. E-tailing colossus Amazon fared poorly with a score of -40, tying for No. 63.
“Anything above 45 is pretty good,” said Dashlane CEO Emmanuel Schalit in an interview. “What’s concerning in this study is to find so many sites, including pretty large players, that are not paying attention to this problem.”
Hackers are armed with increasingly sophisticated tools to break passwords as shopping migrates online. Target and Richfield-based Best Buy are shifting more and more resources online as they work to hold their ground against e-tailers such as Amazon.com.
Only 10 percent of the 100 retailers in Dashlane’s study scored 45 or above, and more than half still accept lazy passwords such as “123456,” “111111” or even “password,” it found. Half of the companies don’t block logins even after 10 incorrect password tries, including Amazon, Dell, Best Buy, Macy’s and Williams-Sonoma.
In one major D’oh!, Dashlane noted that MLB, the official site for Major League Baseball, allows shoppers to use the word “baseball.” Amazon, Wal-Mart, Office Depot and Macy’s were among those retailers with scores at or below 30.
Shoppers themselves don’t appear to be clamoring for stricter password policies.
A separate poll out Monday in the wake of Target’s data breach shows that American shoppers say they are very or extremely concerned about the safety of their personal information in stores and online, but aren’t changing their behavior much to protect it. A majority said that since the breach they have not changed their online passwords at store websites, asked for new credit or debit card numbers from their bank or signed up for a credit monitoring service. The AP-GfK Poll surveyed 1,060 adults.
Dashlane, a venture-capital-backed password manager in Manhattan that markets to consumers, examined the password policies of the Top 100 e-commerce sites from Jan. 17-Jan. 22. It scored companies from minus 100 to 100 based on two dozen criteria such as how many characters they require, whether they require a mix of numbers and letters, whether they e-mail customer passwords in plain text, and whether they tell consumers setting up an account whether their chosen password is weak or strong.
“Apple is very strict,” Schalit said.
But scores dropped precipitously after Apple into the sixties. At 60 points, Target tied for No. 4 with Los Angeles-based tech retailer Newegg Inc.
Target come up short mostly because its website doesn’t advise customers creating an account about a password’s strength. That feature alone was worth 30 points. It lost 5 points for allowing normal logins after four wrong passwords.
Online passwords haven’t come up as an issue in Target’s enormous holiday data security breach that exposed the financial and personal information of up to 110 million people.
“At this point in our ongoing investigation there is no indication that guest passwords are involved,” Molly Snyder said.
Malicious “memory scraping” software inserted in the retailer’s point-of-sale systems at the checkouts of its U.S. stores has been identified as the main culprit.
Best Buy spokesman Jeffrey Shelman said the firm is constantly looking for ways to have BestBuy.com be both secure and easy-to-use. “We have requirements in place to help customers with online security and we encourage them to use passwords that are not easy for criminals to hack,” he said. “As we identify new methods to safeguard customer information, we will update our protocols as needed.”
Dashlane’s top recommendations for retailers: require passwords at least 8 characters long with a mix of upper and lowercases, numbers and symbols; block after 4 failed logins; give on-screen advice on how to choose a strong password; tell customers on-screen how good a password is.