Apple Password Management Ranked Most Secure Out of 100 E-Commerce Websites

[MacRumors]

In a comprehensive study of the password security policies of 100 e-commerce websites, Apple was the only site to receive a perfect score of 100.

Conducted by password-management company Dashlane (via Ars Technica), the Personal Data Security in E-Commerce Security Roundup [PDF] examined the password policies at various sites using 24 different criteria like acceptance of weak passwords and whether or not entry is blocked after failed attempts.

The roundup assesses the password policies of the top 100 e-commerce sites in the US by examining 24 different password criteria that Dashlane has identified as important to online security, and awarding or docking points depending upon whether a site meets a criterion or not. Each criterion is given a +/- point value, leading to a possible total score between -100 and 100 for each site.

While Apple was the only company to earn a score of 100, other companies, like Microsoft, Newegg, and Target also received high scores while Major League Baseball, Toys R Us and Aeropostale received some of the lowest scores.

The study revealed that 55 percent of online retailers accepted weak passwords like "password" or "123456" and 51 percent made no attempt to block entry after 10 incorrect password entries. 61 percent did not provide advice on how to create a strong password, and 93 percent did not provide an on-screen password strength assessement.

Apple, however, met and exceeded all criteria as the company has notoriously stringent password rules to encourage its users to create strong passwords.

Some retailers may argue that such requirements impede user convenience, but companies such as Apple, arguably the most famous brand on the list, have shown that it is possible to be both secure and successful. In every category we tested, Apple implemented the 4 simple policies and procedures we recommend above. These policies resulted in the company being awarded the only perfect score in the study.

When a new Apple ID account is created, users must have a password with at least eight characters, one lower case letter, one capital letter, and one number. The password cannot contain multiple identical consecutive characters, it can't be a common password, and it can't be the same as the account name.

Apple will also rate passwords as weak, moderate, or strong and it asks users to create security questions as well. When logging in with an Apple ID, three attempts at entering the wrong password will prompt a password reset via security questions or email authentication.

As noted by Ars Technica, while the study looks at several aspects of password management, it does avoid some important criteria such as whether sites allow password entry through unencrypted HTTP password connections or allow resets via security questions.

Article Link: Apple Password Management Ranked Most Secure Out of 100 E-Commerce Websites

 

[sevimli]

newegg? Kidding right?

 

[dannyyankou]

Can't get better than 100!

 

[keysofanxiety]

But ... but ... on my Android phone I don't have to type in passwords! I just have to use 'sIris' to recognise my eye and reveal my debit card details. Admittedly, there are a few flaws ... such as it thinking my eye colour was blue when they're actually brown. And I did manage to unlock my phone by pointing the camera towards a Mr. Potato Head.

But customisability, guys! You're too locked down! #changingicons

 

[2457282]

This obviously applies to password for your apple ID, but I wonder what they will have to say about the fingerprint reader and key chain. That is now where the real security threat is -- once you get into key chain you have access to pretty much everything. Personally, I am very happy with it all but I would be interesting to see how that scores.

 

[dannyyankou]

But ... but ... on my Android phone I don't have to type in passwords! I just have to use 'sIris' to recognise my eye and reveal my debit card details. Admittedly, there are a few flaws ... such as it thinking my eye colour was blue when they're actually brown. And I did manage to unlock my phone by pointing the camera towards a Mr. Potato Head.

But customisability, guys! You're too locked down! #changingicons

But animated wallpapers are so c00l! Who cares if customization opens up the possibility of battery drain, viruses, and hackers? I want my widgets and Swype keyboard!

 

[UnfetteredMind]

C'mon Dicks ... get it up!

 

[Msail30bay]

Target in the Top 10…... Really! Since when? And J.Crew at the bottom -55, Yikes! Guess gotta visit the store more and not online.

 

[Rigby]

And still they don't have 2-factor authentication on the icloud.com web site, which not only gives anybody who manages to steal your password full access to your email and personal info, but also allows them to remotely wipe your devices or Macs via "Find My ..."

 

[gotluck]

Where are the websites with 2 factor auth?

PayPal google?
Msft doesn't even have 2 factor

 

[Menel]

C'mon Dicks ... get it up!

you win the internets

----------

Where are the websites with 2 factor auth?

PayPal google?
Msft doesn't even have 2 factor

My Microsoft account that hosts one of my domains, does have two way. Loads into the Google Auth app.

 

[bearda]

This kind of surprises me, as Apple still has no password expiration policy or review of older password requirements. I was kind of surprised to find out one of our test accounts has been running around with a... fairly insecure password for a long time without any prompt to change. It definitely wouldn't pass the new account standards now.

 

[Rigby]

Where are the websites with 2 factor auth?

PayPal google?
Msft doesn't even have 2 factor

All of the sites you mentioned support 2-factor authentication.

 

[nooaah]

But animated wallpapers are so c00l! Who cares if customization opens up the possibility of battery drain, viruses, and hackers? I want my widgets and Swype keyboard!

Swype actually is really huge. Categorizing it with animated wallpapers is silly.

 

[Analog Kid]

If this is even remotely correlated to actual security, then Amazon's place on this list concerns me greatly...

 

[ArcaneDevice]

The only thing this list really demonstrates is that Apple are quick to notify users if they are using stupidly simple passwords. The security of the site isn't being assessed and the bottom ranking sites failings are easily addressed by the user using a complex password.

If you use a password manager or have your own complex password algorithm then there is almost no difference in security between the highest and lowest. It all comes down to how smart the user is.

----------

If this is even remotely correlated to actual security, then Amazon's place on this list concerns me greatly...

It isn't. It's just basically a measure of how effective a password tutorial each site provides.

 

[Doctor Q]

I'm driven crazy by websites that refuse to allow certain characters in passwords. Some sites reject my nicely secure choices saying that passwords must contain only letters and digits, no special characters or no spaces, and often with rather short maximum sizes. What do these sites have to gain by such restrictions? Applying minimum requirements is reasonable but why do they apply "maximum" requirements?

 

[SandboxGeneral]

but why do they apply "maximum" requirements?

I feel your pain of frustration too and have ofttimes wondered that myself.

 

[clibinarius]

But animated wallpapers are so c00l! Who cares if customization opens up the possibility of battery drain, viruses, and hackers? I want my widgets and Swype keyboard!

You're absolutely right! Golly Gee! Death to OS X for having customization! It never occurred to me that I need anti-virus because I can install whatever I want on my Macbook!

Know of any good iOS laptops? And can I have a cool-aid logo on it as well?!

 

[CoolGuy9890]

Where is Google?

Where is Google? I use Gmail...... I hope my account does not get hacked...

 

[nightstalkerz]

Where is Google? I use Gmail...... I hope my account does not get hacked...

It's based on the top 100 e-commerce sites.

 

[JAT]

I'm driven crazy by websites that refuse to allow certain characters in passwords. Some sites reject my nicely secure choices saying that passwords must contain only letters and digits, no special characters or no spaces, and often with rather short maximum sizes. What do these sites have to gain by such restrictions? Applying minimum requirements is reasonable but why do they apply "maximum" requirements?

Still running on DOS?

 

[charlituna]

This obviously applies to password for your apple ID, but I wonder what they will have to say about the fingerprint reader and key chain. That is now where the real security threat is -- once you get into key chain you have access to pretty much everything. Personally, I am very happy with it all but I would be interesting to see how that scores.

I've been using touch id and it works rather well. All of my roommates have tried to trick it and nothing. Especially since they can't get a clean print of my finger.

Also you have the option to not use it for iTunes. It can't be used for turning off find my iPhone etc.

And this was an assessment of online site practices so it doesn't cover Touch ID and similar. They would need a different rating list

----------

And still they don't have 2-factor authentication on the icloud.com web site, which not only gives anybody who manages to steal your password full access to your email and personal info, but also allows them to remotely wipe your devices or Macs via "Find My ..."

If someone manages to steal your password you have bigger issues than a lack of two step authentication.

----------

The only thing this list really demonstrates is that Apple are quick to notify users if they are using stupidly simple passwords. The security of the site isn't being assessed and the bottom ranking sites failings are easily addressed by the user using a complex password.

There have been zero confirmed successful brute force attacks on Apples systems so user created passwords would be the weakest link.

And Apple isn't about to talk about how they secure their servers since that would just help those that want to try again

 

[Swordylove]

And Amazon...?

 

[djdj]

Where are the websites with 2 factor auth?

PayPal google?
Msft doesn't even have 2 factor

Microsoft does, and has for quite a long time, supported two-factor authentication. They use the same algorithm as Google, LastPass, and DropBox to name a few.