Apple Password Management Ranked Most Secure Out of 100 E-Commerce Websites

Discussion in 'iOS Blog Discussion' started by MacRumors, Jan 24, 2014.

  1. macrumors bot


    Apr 12, 2001

    In a comprehensive study of the password security policies of 100 e-commerce websites, Apple was the only site to receive a perfect score of 100.

    Conducted by password-management company Dashlane (via Ars Technica), the Personal Data Security in E-Commerce Security Roundup [PDF] examined the password policies at various sites using 24 different criteria like acceptance of weak passwords and whether or not entry is blocked after failed attempts.

    While Apple was the only company to earn a score of 100, other companies, like Microsoft, Newegg, and Target also received high scores while Major League Baseball, Toys R Us and Aeropostale received some of the lowest scores.

    The study revealed that 55 percent of online retailers accepted weak passwords like "password" or "123456" and 51 percent made no attempt to block entry after 10 incorrect password entries. 61 percent did not provide advice on how to create a strong password, and 93 percent did not provide an on-screen password strength assessement.

    Apple, however, met and exceeded all criteria as the company has notoriously stringent password rules to encourage its users to create strong passwords.
    When a new Apple ID account is created, users must have a password with at least eight characters, one lower case letter, one capital letter, and one number. The password cannot contain multiple identical consecutive characters, it can't be a common password, and it can't be the same as the account name.

    Apple will also rate passwords as weak, moderate, or strong and it asks users to create security questions as well. When logging in with an Apple ID, three attempts at entering the wrong password will prompt a password reset via security questions or email authentication.

    As noted by Ars Technica, while the study looks at several aspects of password management, it does avoid some important criteria such as whether sites allow password entry through unencrypted HTTP password connections or allow resets via security questions.

    Article Link: Apple Password Management Ranked Most Secure Out of 100 E-Commerce Websites
  2. macrumors 6502a

    Jun 26, 2007
  3. macrumors 601


    Mar 2, 2012
  4. macrumors 68020


    Nov 23, 2011
    But ... but ... on my Android phone I don't have to type in passwords! I just have to use 'sIris' to recognise my eye and reveal my debit card details. Admittedly, there are a few flaws ... such as it thinking my eye colour was blue when they're actually brown. And I did manage to unlock my phone by pointing the camera towards a Mr. Potato Head.

    But customisability, guys! You're too locked down! #changingicons
  5. macrumors 68000

    Cuban Missles

    Dec 6, 2012
    My heart is in Camagüey, the rest in the USA
    This obviously applies to password for your apple ID, but I wonder what they will have to say about the fingerprint reader and key chain. That is now where the real security threat is -- once you get into key chain you have access to pretty much everything. Personally, I am very happy with it all but I would be interesting to see how that scores.
  6. macrumors 601


    Mar 2, 2012
    But animated wallpapers are so c00l! Who cares if customization opens up the possibility of battery drain, viruses, and hackers? I want my widgets and Swype keyboard!
  7. macrumors 6502


    Jun 6, 2012
  8. macrumors regular


    Jan 4, 2014
    Penn., USA
    Target in the Top 10…...:confused: Really! Since when? And J.Crew at the bottom -55, Yikes! Guess gotta visit the store more and not online.
  9. macrumors 68020

    Aug 5, 2008
    San Jose, CA
    And still they don't have 2-factor authentication on the web site, which not only gives anybody who manages to steal your password full access to your email and personal info, but also allows them to remotely wipe your devices or Macs via "Find My ..."
  10. macrumors 601


    Dec 8, 2011
    East Central Florida
    Where are the websites with 2 factor auth?

    PayPal google?
    Msft doesn't even have 2 factor
  11. macrumors 603


    Aug 4, 2011
    you win the internets


    My Microsoft account that hosts one of my domains, does have two way. Loads into the Google Auth app.
  12. macrumors 6502

    Dec 2, 2005
    Germantown, MD
    This kind of surprises me, as Apple still has no password expiration policy or review of older password requirements. I was kind of surprised to find out one of our test accounts has been running around with a... fairly insecure password for a long time without any prompt to change. It definitely wouldn't pass the new account standards now.
  13. macrumors 68020

    Aug 5, 2008
    San Jose, CA
    All of the sites you mentioned support 2-factor authentication.
  14. macrumors 65816


    Sep 3, 2009
    Philadelphia, PA
    Swype actually is really huge. Categorizing it with animated wallpapers is silly.
  15. macrumors 68030

    Analog Kid

    Mar 4, 2003
    If this is even remotely correlated to actual security, then Amazon's place on this list concerns me greatly...
  16. macrumors 6502a

    Nov 10, 2003
    outside the crazy house, NC
    The only thing this list really demonstrates is that Apple are quick to notify users if they are using stupidly simple passwords. The security of the site isn't being assessed and the bottom ranking sites failings are easily addressed by the user using a complex password.

    If you use a password manager or have your own complex password algorithm then there is almost no difference in security between the highest and lowest. It all comes down to how smart the user is.


    It isn't. It's just basically a measure of how effective a password tutorial each site provides.
  17. Administrator

    Doctor Q

    Staff Member

    Sep 19, 2002
    Hill Valley, California
    I'm driven crazy by websites that refuse to allow certain characters in passwords. Some sites reject my nicely secure choices saying that passwords must contain only letters and digits, no special characters or no spaces, and often with rather short maximum sizes. What do these sites have to gain by such restrictions? Applying minimum requirements is reasonable but why do they apply "maximum" requirements?
  18. Moderator


    Staff Member

    Sep 8, 2010
    Detroit, Michigan
    I feel your pain of frustration too and have ofttimes wondered that myself.
  19. macrumors 6502a

    Aug 26, 2010
    You're absolutely right! Golly Gee! Death to OS X for having customization! It never occurred to me that I need anti-virus because I can install whatever I want on my Macbook!

    Know of any good iOS laptops? And can I have a cool-aid logo on it as well?!
  20. macrumors newbie

    Jan 19, 2014
    Where is Google?

    Where is Google? I use Gmail...... I hope my account does not get hacked...
  21. macrumors regular

    May 9, 2013
    It's based on the top 100 e-commerce sites.
  22. JAT
    macrumors 603

    Dec 31, 2001
    Mpls, MN
    Still running on DOS?
  23. macrumors G3


    Jun 11, 2008
    Los Angeles, CA
    I've been using touch id and it works rather well. All of my roommates have tried to trick it and nothing. Especially since they can't get a clean print of my finger.

    Also you have the option to not use it for iTunes. It can't be used for turning off find my iPhone etc.

    And this was an assessment of online site practices so it doesn't cover Touch ID and similar. They would need a different rating list


    If someone manages to steal your password you have bigger issues than a lack of two step authentication.


    There have been zero confirmed successful brute force attacks on Apples systems so user created passwords would be the weakest link.

    And Apple isn't about to talk about how they secure their servers since that would just help those that want to try again
  24. macrumors 6502a

    Apr 23, 2012
  25. macrumors member

    Jul 14, 2008
    Microsoft does, and has for quite a long time, supported two-factor authentication. They use the same algorithm as Google, LastPass, and DropBox to name a few.

Share This Page