After looking at password policies for top ecommerce sites in the US and France, password manager firm Dashlane took a peek at sites in the United Kingdom to evaluate their practices. Some big brand names like Amazon UK demonstrated some eyebrow-raising habits.
According to the company’s UK edition of its Personal Data Security Roundup, Dashlane looked at what the firm considers important password security criteria. It found about two-thirds of the top 100 ecommerce sites in the UK, including brands like Amazon and Tesco, don’t stop login attempts after ten incorrect password entries.
Failing to lock out such attempts could be problematic for an ecommerce site and its customers. Malicious hackers have long had access to tools that enable repetitive attacks, feeding one possible password after another to a site until such software finds a match.
Dashlane also expressed concern about 25 percent of these sites providing forgotten passwords in plaintext via email. If an unauthorized person has access to a customer’s email and the process for getting back into an ecommerce site is a simple username/password login, that account becomes an easy target.
Although modern-day internet users should be well aware of the intrinsic dangers of using weak passwords, the average consumer may be content to use a simple easy to guess one. Unless a site’s processes force them to make choices like including at least one number and one capital letter, or to make the password a minimum length, people will probably continue to gravitate toward less secure choices.
Ecommerce pros may wish to reconsider any existing practices they use that don’t compel password choices that are at least a little varied and of a minimum length. Data security breaches will hurt consumer confidence; one needs look no further than the 2013 holiday season breach that affected Target, which is seeing a drop in customer visits since the incident.