Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
64,426
32,268



In a comprehensive study of the password security policies of 100 e-commerce websites, Apple was the only site to receive a perfect score of 100.

Conducted by password-management company Dashlane (via Ars Technica), the Personal Data Security in E-Commerce Security Roundup [PDF] examined the password policies at various sites using 24 different criteria like acceptance of weak passwords and whether or not entry is blocked after failed attempts.

passwordscores.jpg
The roundup assesses the password policies of the top 100 e-commerce sites in the US by examining 24 different password criteria that Dashlane has identified as important to online security, and awarding or docking points depending upon whether a site meets a criterion or not. Each criterion is given a +/- point value, leading to a possible total score between -100 and 100 for each site.
While Apple was the only company to earn a score of 100, other companies, like Microsoft, Newegg, and Target also received high scores while Major League Baseball, Toys R Us and Aeropostale received some of the lowest scores.

The study revealed that 55 percent of online retailers accepted weak passwords like "password" or "123456" and 51 percent made no attempt to block entry after 10 incorrect password entries. 61 percent did not provide advice on how to create a strong password, and 93 percent did not provide an on-screen password strength assessement.

Apple, however, met and exceeded all criteria as the company has notoriously stringent password rules to encourage its users to create strong passwords.
Some retailers may argue that such requirements impede user convenience, but companies such as Apple, arguably the most famous brand on the list, have shown that it is possible to be both secure and successful. In every category we tested, Apple implemented the 4 simple policies and procedures we recommend above. These policies resulted in the company being awarded the only perfect score in the study.
When a new Apple ID account is created, users must have a password with at least eight characters, one lower case letter, one capital letter, and one number. The password cannot contain multiple identical consecutive characters, it can't be a common password, and it can't be the same as the account name.

Apple will also rate passwords as weak, moderate, or strong and it asks users to create security questions as well. When logging in with an Apple ID, three attempts at entering the wrong password will prompt a password reset via security questions or email authentication.

As noted by Ars Technica, while the study looks at several aspects of password management, it does avoid some important criteria such as whether sites allow password entry through unencrypted HTTP password connections or allow resets via security questions.

Article Link: Apple Password Management Ranked Most Secure Out of 100 E-Commerce Websites
 

keysofanxiety

macrumors G3
Nov 23, 2011
9,539
25,302
But ... but ... on my Android phone I don't have to type in passwords! I just have to use 'sIris' to recognise my eye and reveal my debit card details. Admittedly, there are a few flaws ... such as it thinking my eye colour was blue when they're actually brown. And I did manage to unlock my phone by pointing the camera towards a Mr. Potato Head.

But customisability, guys! You're too locked down! #changingicons
 

2457282

Suspended
Dec 6, 2012
3,327
3,015
This obviously applies to password for your apple ID, but I wonder what they will have to say about the fingerprint reader and key chain. That is now where the real security threat is -- once you get into key chain you have access to pretty much everything. Personally, I am very happy with it all but I would be interesting to see how that scores.
 

dannyyankou

macrumors G5
Mar 2, 2012
13,340
28,757
Westchester, NY
But ... but ... on my Android phone I don't have to type in passwords! I just have to use 'sIris' to recognise my eye and reveal my debit card details. Admittedly, there are a few flaws ... such as it thinking my eye colour was blue when they're actually brown. And I did manage to unlock my phone by pointing the camera towards a Mr. Potato Head.

But customisability, guys! You're too locked down! #changingicons

But animated wallpapers are so c00l! Who cares if customization opens up the possibility of battery drain, viruses, and hackers? I want my widgets and Swype keyboard!
 

Msail30bay

macrumors regular
Jan 4, 2014
181
18
Penn., USA
Target in the Top 10…...:confused: Really! Since when? And J.Crew at the bottom -55, Yikes! Guess gotta visit the store more and not online.
 

Rigby

macrumors 603
Aug 5, 2008
6,241
10,189
San Jose, CA
And still they don't have 2-factor authentication on the icloud.com web site, which not only gives anybody who manages to steal your password full access to your email and personal info, but also allows them to remotely wipe your devices or Macs via "Find My ..."
 

bearda

macrumors 6502a
Dec 2, 2005
506
176
Roanoke, VA
This kind of surprises me, as Apple still has no password expiration policy or review of older password requirements. I was kind of surprised to find out one of our test accounts has been running around with a... fairly insecure password for a long time without any prompt to change. It definitely wouldn't pass the new account standards now.
 

Analog Kid

macrumors G3
Mar 4, 2003
9,119
11,980
If this is even remotely correlated to actual security, then Amazon's place on this list concerns me greatly...
 

ArcaneDevice

macrumors 6502a
Nov 10, 2003
766
186
outside the crazy house, NC
The only thing this list really demonstrates is that Apple are quick to notify users if they are using stupidly simple passwords. The security of the site isn't being assessed and the bottom ranking sites failings are easily addressed by the user using a complex password.

If you use a password manager or have your own complex password algorithm then there is almost no difference in security between the highest and lowest. It all comes down to how smart the user is.

----------

If this is even remotely correlated to actual security, then Amazon's place on this list concerns me greatly...

It isn't. It's just basically a measure of how effective a password tutorial each site provides.
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
39,950
7,953
Los Angeles
I'm driven crazy by websites that refuse to allow certain characters in passwords. Some sites reject my nicely secure choices saying that passwords must contain only letters and digits, no special characters or no spaces, and often with rather short maximum sizes. What do these sites have to gain by such restrictions? Applying minimum requirements is reasonable but why do they apply "maximum" requirements?
 

clibinarius

macrumors 6502a
Aug 26, 2010
671
70
NY
But animated wallpapers are so c00l! Who cares if customization opens up the possibility of battery drain, viruses, and hackers? I want my widgets and Swype keyboard!

You're absolutely right! Golly Gee! Death to OS X for having customization! It never occurred to me that I need anti-virus because I can install whatever I want on my Macbook!

Know of any good iOS laptops? And can I have a cool-aid logo on it as well?!
 

CoolGuy9890

macrumors member
Jan 19, 2014
34
13
Where is Google?

Where is Google? I use Gmail...... I hope my account does not get hacked...
 

JAT

macrumors 603
Dec 31, 2001
6,473
124
Mpls, MN
I'm driven crazy by websites that refuse to allow certain characters in passwords. Some sites reject my nicely secure choices saying that passwords must contain only letters and digits, no special characters or no spaces, and often with rather short maximum sizes. What do these sites have to gain by such restrictions? Applying minimum requirements is reasonable but why do they apply "maximum" requirements?

Still running on DOS?
 

charlituna

macrumors G3
Jun 11, 2008
9,636
816
Los Angeles, CA
This obviously applies to password for your apple ID, but I wonder what they will have to say about the fingerprint reader and key chain. That is now where the real security threat is -- once you get into key chain you have access to pretty much everything. Personally, I am very happy with it all but I would be interesting to see how that scores.

I've been using touch id and it works rather well. All of my roommates have tried to trick it and nothing. Especially since they can't get a clean print of my finger.

Also you have the option to not use it for iTunes. It can't be used for turning off find my iPhone etc.

And this was an assessment of online site practices so it doesn't cover Touch ID and similar. They would need a different rating list

----------

And still they don't have 2-factor authentication on the icloud.com web site, which not only gives anybody who manages to steal your password full access to your email and personal info, but also allows them to remotely wipe your devices or Macs via "Find My ..."

If someone manages to steal your password you have bigger issues than a lack of two step authentication.

----------

The only thing this list really demonstrates is that Apple are quick to notify users if they are using stupidly simple passwords. The security of the site isn't being assessed and the bottom ranking sites failings are easily addressed by the user using a complex password.

There have been zero confirmed successful brute force attacks on Apples systems so user created passwords would be the weakest link.

And Apple isn't about to talk about how they secure their servers since that would just help those that want to try again
 

djdj

macrumors regular
Jul 14, 2008
104
138
Where are the websites with 2 factor auth?

PayPal google?
Msft doesn't even have 2 factor

Microsoft does, and has for quite a long time, supported two-factor authentication. They use the same algorithm as Google, LastPass, and DropBox to name a few.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.