Go Back   MacRumors Forums > News and Article Discussion > iOS Blog Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 24, 2014, 01:47 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Password Management Ranked Most Secure Out of 100 E-Commerce Websites




In a comprehensive study of the password security policies of 100 e-commerce websites, Apple was the only site to receive a perfect score of 100.

Conducted by password-management company Dashlane (via Ars Technica), the Personal Data Security in E-Commerce Security Roundup [PDF] examined the password policies at various sites using 24 different criteria like acceptance of weak passwords and whether or not entry is blocked after failed attempts.

Quote:
The roundup assesses the password policies of the top 100 e-commerce sites in the US by examining 24 different password criteria that Dashlane has identified as important to online security, and awarding or docking points depending upon whether a site meets a criterion or not. Each criterion is given a +/- point value, leading to a possible total score between -100 and 100 for each site.
While Apple was the only company to earn a score of 100, other companies, like Microsoft, Newegg, and Target also received high scores while Major League Baseball, Toys R Us and Aeropostale received some of the lowest scores.

The study revealed that 55 percent of online retailers accepted weak passwords like "password" or "123456" and 51 percent made no attempt to block entry after 10 incorrect password entries. 61 percent did not provide advice on how to create a strong password, and 93 percent did not provide an on-screen password strength assessement.

Apple, however, met and exceeded all criteria as the company has notoriously stringent password rules to encourage its users to create strong passwords.
Quote:
Some retailers may argue that such requirements impede user convenience, but companies such as Apple, arguably the most famous brand on the list, have shown that it is possible to be both secure and successful. In every category we tested, Apple implemented the 4 simple policies and procedures we recommend above. These policies resulted in the company being awarded the only perfect score in the study.
When a new Apple ID account is created, users must have a password with at least eight characters, one lower case letter, one capital letter, and one number. The password cannot contain multiple identical consecutive characters, it can't be a common password, and it can't be the same as the account name.

Apple will also rate passwords as weak, moderate, or strong and it asks users to create security questions as well. When logging in with an Apple ID, three attempts at entering the wrong password will prompt a password reset via security questions or email authentication.

As noted by Ars Technica, while the study looks at several aspects of password management, it does avoid some important criteria such as whether sites allow password entry through unencrypted HTTP password connections or allow resets via security questions.

Article Link: Apple Password Management Ranked Most Secure Out of 100 E-Commerce Websites
MacRumors is offline   0 Reply With Quote
Old Jan 24, 2014, 01:49 PM   #2
sevimli
macrumors 6502a
 
Join Date: Jun 2007
newegg? Kidding right?
sevimli is offline   0 Reply With Quote
Old Jan 24, 2014, 01:51 PM   #3
dannyyankou
macrumors 68020
 
Join Date: Mar 2012
Can't get better than 100!
dannyyankou is offline   0 Reply With Quote
Old Jan 24, 2014, 01:51 PM   #4
keysofanxiety
macrumors 65816
 
keysofanxiety's Avatar
 
Join Date: Nov 2011
Location: In a house that defies physics by being colder than absolute zero.
But ... but ... on my Android phone I don't have to type in passwords! I just have to use 'sIris' to recognise my eye and reveal my debit card details. Admittedly, there are a few flaws ... such as it thinking my eye colour was blue when they're actually brown. And I did manage to unlock my phone by pointing the camera towards a Mr. Potato Head.

But customisability, guys! You're too locked down! #changingicons
keysofanxiety is offline   8 Reply With Quote
Old Jan 24, 2014, 01:54 PM   #5
Cuban Missles
macrumors 6502a
 
Cuban Missles's Avatar
 
Join Date: Dec 2012
Location: East Coast, USA
This obviously applies to password for your apple ID, but I wonder what they will have to say about the fingerprint reader and key chain. That is now where the real security threat is -- once you get into key chain you have access to pretty much everything. Personally, I am very happy with it all but I would be interesting to see how that scores.
__________________
I have a collection of Apple stickers from all my Apple product purchases - they are white (the stickers not the products)
Cuban Missles is offline   0 Reply With Quote
Old Jan 24, 2014, 01:58 PM   #6
dannyyankou
macrumors 68020
 
Join Date: Mar 2012
Quote:
Originally Posted by keysofanxiety View Post
But ... but ... on my Android phone I don't have to type in passwords! I just have to use 'sIris' to recognise my eye and reveal my debit card details. Admittedly, there are a few flaws ... such as it thinking my eye colour was blue when they're actually brown. And I did manage to unlock my phone by pointing the camera towards a Mr. Potato Head.

But customisability, guys! You're too locked down! #changingicons
But animated wallpapers are so c00l! Who cares if customization opens up the possibility of battery drain, viruses, and hackers? I want my widgets and Swype keyboard!
dannyyankou is offline   6 Reply With Quote
Old Jan 24, 2014, 01:58 PM   #7
UnfetteredMind
macrumors 6502
 
Join Date: Jun 2012
C'mon Dicks ... get it up!
UnfetteredMind is offline   9 Reply With Quote
Old Jan 24, 2014, 02:18 PM   #8
Msail30bay
macrumors regular
 
Join Date: Jan 2014
Location: Penn., USA
Target in the Top 10... Really! Since when? And J.Crew at the bottom -55, Yikes! Guess gotta visit the store more and not online.
Msail30bay is offline   0 Reply With Quote
Old Jan 24, 2014, 02:22 PM   #9
Rigby
macrumors 65816
 
Join Date: Aug 2008
Location: San Jose, CA
And still they don't have 2-factor authentication on the icloud.com web site, which not only gives anybody who manages to steal your password full access to your email and personal info, but also allows them to remotely wipe your devices or Macs via "Find My ..."
Rigby is offline   0 Reply With Quote
Old Jan 24, 2014, 02:27 PM   #10
gotluck
macrumors 68040
 
gotluck's Avatar
 
Join Date: Dec 2011
Location: East Central Florida
Where are the websites with 2 factor auth?

PayPal google?
Msft doesn't even have 2 factor
__________________
iPad Air LTE 8.1 JB (T-Mobile) - GS 4 Google Edition 4.4.4 ART (AT&T) - Windows 7 PC's - PS4
gotluck is offline   0 Reply With Quote
Old Jan 24, 2014, 02:53 PM   #11
Menel
macrumors 601
 
Menel's Avatar
 
Join Date: Aug 2011
Location: Atlanta
Quote:
Originally Posted by UnfetteredMind View Post
C'mon Dicks ... get it up!
you win the internets

----------

Quote:
Originally Posted by gotluck View Post
Where are the websites with 2 factor auth?

PayPal google?
Msft doesn't even have 2 factor
My Microsoft account that hosts one of my domains, does have two way. Loads into the Google Auth app.
__________________
iPhone 6 iPad Air Mac mini (i5, 2011)
Menel is offline   1 Reply With Quote
Old Jan 24, 2014, 02:59 PM   #12
bearda
macrumors 6502
 
Join Date: Dec 2005
Location: Germantown, MD
This kind of surprises me, as Apple still has no password expiration policy or review of older password requirements. I was kind of surprised to find out one of our test accounts has been running around with a... fairly insecure password for a long time without any prompt to change. It definitely wouldn't pass the new account standards now.
bearda is offline   1 Reply With Quote
Old Jan 24, 2014, 03:20 PM   #13
Rigby
macrumors 65816
 
Join Date: Aug 2008
Location: San Jose, CA
Quote:
Originally Posted by gotluck View Post
Where are the websites with 2 factor auth?

PayPal google?
Msft doesn't even have 2 factor
All of the sites you mentioned support 2-factor authentication.
Rigby is offline   0 Reply With Quote
Old Jan 24, 2014, 03:31 PM   #14
nooaah
macrumors 65816
 
nooaah's Avatar
 
Join Date: Sep 2009
Location: Philadelphia, PA
Quote:
Originally Posted by dannyyankou View Post
But animated wallpapers are so c00l! Who cares if customization opens up the possibility of battery drain, viruses, and hackers? I want my widgets and Swype keyboard!
Swype actually is really huge. Categorizing it with animated wallpapers is silly.
nooaah is online now   0 Reply With Quote
Old Jan 24, 2014, 04:50 PM   #15
Analog Kid
macrumors 68030
 
Analog Kid's Avatar
 
Join Date: Mar 2003
If this is even remotely correlated to actual security, then Amazon's place on this list concerns me greatly...
__________________
Only trolls use the word "fanboy".
Analog Kid is offline   0 Reply With Quote
Old Jan 24, 2014, 07:07 PM   #16
ArcaneDevice
macrumors 6502a
 
Join Date: Nov 2003
Location: outside the crazy house, NC
The only thing this list really demonstrates is that Apple are quick to notify users if they are using stupidly simple passwords. The security of the site isn't being assessed and the bottom ranking sites failings are easily addressed by the user using a complex password.

If you use a password manager or have your own complex password algorithm then there is almost no difference in security between the highest and lowest. It all comes down to how smart the user is.

----------

Quote:
Originally Posted by Analog Kid View Post
If this is even remotely correlated to actual security, then Amazon's place on this list concerns me greatly...
It isn't. It's just basically a measure of how effective a password tutorial each site provides.
ArcaneDevice is offline   0 Reply With Quote
Old Jan 24, 2014, 07:34 PM   #17
Doctor Q
Administrator
 
Doctor Q's Avatar
 
Join Date: Sep 2002
Location: Los Angeles
I'm driven crazy by websites that refuse to allow certain characters in passwords. Some sites reject my nicely secure choices saying that passwords must contain only letters and digits, no special characters or no spaces, and often with rather short maximum sizes. What do these sites have to gain by such restrictions? Applying minimum requirements is reasonable but why do they apply "maximum" requirements?
__________________
Oh do pay attention 007. In the wrong hands, this cylindrical 12-core Mac Pro with three 4K displays, FirePro graphics, and Thunderbolt 2 could be very dangerous.
Doctor Q is offline   0 Reply With Quote
Old Jan 24, 2014, 07:37 PM   #18
SandboxGeneral
Moderator
 
SandboxGeneral's Avatar
 
Join Date: Sep 2010
Location: Rigel IV
Quote:
Originally Posted by Doctor Q View Post
but why do they apply "maximum" requirements?
I feel your pain of frustration too and have ofttimes wondered that myself.
__________________
It's true, we are aliens. But what are you going to do about it? It's a two-party system. You have to vote for one of us.
SandboxGeneral is offline   0 Reply With Quote
Old Jan 24, 2014, 10:39 PM   #19
clibinarius
macrumors 6502a
 
Join Date: Aug 2010
Quote:
Originally Posted by dannyyankou View Post
But animated wallpapers are so c00l! Who cares if customization opens up the possibility of battery drain, viruses, and hackers? I want my widgets and Swype keyboard!
You're absolutely right! Golly Gee! Death to OS X for having customization! It never occurred to me that I need anti-virus because I can install whatever I want on my Macbook!

Know of any good iOS laptops? And can I have a cool-aid logo on it as well?!
clibinarius is offline   0 Reply With Quote
Old Jan 24, 2014, 11:32 PM   #20
CoolGuy9890
macrumors newbie
 
Join Date: Jan 2014
Where is Google?

Where is Google? I use Gmail...... I hope my account does not get hacked...
CoolGuy9890 is offline   0 Reply With Quote
Old Jan 25, 2014, 03:46 AM   #21
nightstalkerz
macrumors regular
 
Join Date: May 2013
Quote:
Originally Posted by CoolGuy9890 View Post
Where is Google? I use Gmail...... I hope my account does not get hacked...
It's based on the top 100 e-commerce sites.
nightstalkerz is offline   0 Reply With Quote
Old Jan 26, 2014, 10:57 AM   #22
JAT
macrumors 603
 
Join Date: Dec 2001
Location: Mpls, MN
Quote:
Originally Posted by Doctor Q View Post
I'm driven crazy by websites that refuse to allow certain characters in passwords. Some sites reject my nicely secure choices saying that passwords must contain only letters and digits, no special characters or no spaces, and often with rather short maximum sizes. What do these sites have to gain by such restrictions? Applying minimum requirements is reasonable but why do they apply "maximum" requirements?
Still running on DOS?
__________________
-- Spiky
JAT is offline   0 Reply With Quote
Old Jan 26, 2014, 11:24 AM   #23
charlituna
macrumors G3
 
charlituna's Avatar
 
Join Date: Jun 2008
Location: Los Angeles, CA
Quote:
Originally Posted by Cuban Missles View Post
This obviously applies to password for your apple ID, but I wonder what they will have to say about the fingerprint reader and key chain. That is now where the real security threat is -- once you get into key chain you have access to pretty much everything. Personally, I am very happy with it all but I would be interesting to see how that scores.
I've been using touch id and it works rather well. All of my roommates have tried to trick it and nothing. Especially since they can't get a clean print of my finger.

Also you have the option to not use it for iTunes. It can't be used for turning off find my iPhone etc.

And this was an assessment of online site practices so it doesn't cover Touch ID and similar. They would need a different rating list

----------

Quote:
Originally Posted by Rigby View Post
And still they don't have 2-factor authentication on the icloud.com web site, which not only gives anybody who manages to steal your password full access to your email and personal info, but also allows them to remotely wipe your devices or Macs via "Find My ..."
If someone manages to steal your password you have bigger issues than a lack of two step authentication.

----------

Quote:
Originally Posted by ArcaneDevice View Post
The only thing this list really demonstrates is that Apple are quick to notify users if they are using stupidly simple passwords. The security of the site isn't being assessed and the bottom ranking sites failings are easily addressed by the user using a complex password.
There have been zero confirmed successful brute force attacks on Apples systems so user created passwords would be the weakest link.

And Apple isn't about to talk about how they secure their servers since that would just help those that want to try again
__________________
Return of the Non Tech's Wish List
(She's family so I'm biased )
charlituna is offline   0 Reply With Quote
Old Jan 26, 2014, 03:58 PM   #24
Swordylove
macrumors 6502a
 
Join Date: Apr 2012
And Amazon...?
__________________
~
Swordylove is offline   0 Reply With Quote
Old Jan 26, 2014, 11:04 PM   #25
djdj
macrumors member
 
Join Date: Jul 2008
Quote:
Originally Posted by gotluck View Post
Where are the websites with 2 factor auth?

PayPal google?
Msft doesn't even have 2 factor
Microsoft does, and has for quite a long time, supported two-factor authentication. They use the same algorithm as Google, LastPass, and DropBox to name a few.
djdj is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > iOS Blog Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Issue with secure websites Pgoz iPhone 7 Feb 25, 2014 03:48 PM
Connected to secure wifi without entering password luckydcxx MacBook Air 8 Jan 2, 2014 10:56 PM
How secure is Macbook protected password? LaurCan Mac Basics and Help 7 Aug 13, 2013 04:08 PM
Cannot access secure websites after updating to Safari 6.0.3 KPGills MacBook Air 2 Mar 14, 2013 05:39 PM
Password Secure Notes in Mountain Lion kajcovski OS X 10.8 Mountain Lion 0 Jul 25, 2012 03:41 PM

Forum Jump

All times are GMT -5. The time now is 12:30 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC