Apple Password Management Ranked Most Secure Out of 100 E-Commerce Websites

[MiesVanDerRobot]

While I agree that the leading edge of user protection and security is well ahead of the criteria Dashlane tested for here (two-factor auth, HTTPS at all times, full Unicode charset in passwords, etc.), it is still chilling to realize the number of major e-commerce sites that will allow the user to be well below what should be an industry-standard baseline.

The sad truth is that Dashlane's criteria ought to be the lowest common denominator. But most of the industry manages to fall well below that line.

ArcaneDevice is correct: for those of us using password managers to auto-generate strong passwords, one of these sites is as good as the next. But for the majority of users, the degree to which a site will allow them to make boneheaded decisions about their security is staggering. Some of these data points are absolutely comical, such as 1-800-Flowers minimum password length: one character. One.

And as a postscript, kudos to Dashlane for fully publishing the data and methodology behind this report. How refreshing.

 

[gnasher729]

I'm driven crazy by websites that refuse to allow certain characters in passwords. Some sites reject my nicely secure choices saying that passwords must contain only letters and digits, no special characters or no spaces, and often with rather short maximum sizes. What do these sites have to gain by such restrictions? Applying minimum requirements is reasonable but why do they apply "maximum" requirements?

They need to be able to store your password in their hacker-friendly, plain text database.

While I agree that the leading edge of user protection and security is well ahead of the criteria Dashlane tested for here (two-factor auth, HTTPS at all times, full Unicode charset in passwords, etc.), it is still chilling to realize the number of major e-commerce sites that will allow the user to be well below what should be an industry-standard baseline.

Seriously, a huge problem are the number of websites that require you to open accounts with passwords to do things. If I want to download a .PDF file from a company, or order things, why do I need an account with a password in the first place? That's what happened with Adobe: After it was hacked, researches found tons of insecure passwords like "123456" - but that was on an Adobe download website where nobody actually cared one bit if someone figured out their password.

I go to a store, take an item, go to the checkout, hand over my card, they take the payment, and that's it. No account, no password. Why would this be different for any e-commerce site? My credit card number is essentially my password for e-commerce. Anyone who has it (and the other necessary details on the card) can go to _any_ e-commerce site and order things. The fact that I have a top secure password at site A doesn't stop them from ordering at site B, so it is no protection at all, just an annoyance.

 

[Analog Kid]

The security of the site isn't being assessed and the bottom ranking sites failings are easily addressed by the user using a complex password.

If you use a password manager or have your own complex password algorithm then there is almost no difference in security between the highest and lowest. It all comes down to how smart the user is.

Other than the eight that email your password in plaintext... That's the only real systemic threat I could see in the writeup.

----------

I'm driven crazy by websites that refuse to allow certain characters in passwords. Some sites reject my nicely secure choices saying that passwords must contain only letters and digits, no special characters or no spaces, and often with rather short maximum sizes. What do these sites have to gain by such restrictions? Applying minimum requirements is reasonable but why do they apply "maximum" requirements?

It keeps their databases compact. If you have a million users, each added character in the password database requires a megabyte of storage.

Now, could someone kindly give me directions back to the 80's?

 

[Doctor Q]

It keeps their databases compact. If you have a million users, each added character in the password database requires a megabyte of storage.

Now, could someone kindly give me directions back to the 80's?

I like your post, but I must point out that companies would save disk space by allowing more variety of characters in passwords. If the character set is limited to letters and digits, they store them all in 8-byte bytes, and I want to make sure that my randomly chosen password would take on the order of 10^12 guesses to break, then I need an 8-character password. But if I'm allowed to use punctuation characters and spaces in my password too, I could get the same level of security with a 7-character password. They could reduce their storage space by a huge 12.5%!

In theory, they could compress passwords in the database so their length represents the amount of information, not the number of characters. In that case, they would use the same amount of disk space no matter how many characters they let you use! For example, passwords that could only use As and Bs would be very long but would compress to the same size as very short passwords that could use any Unicode character and contained the same amount of information.

 

[Analog Kid]

I like your post, but I must point out that companies would save disk space by allowing more variety of characters in passwords. If the character set is limited to letters and digits, they store them all in 8-byte bytes, and I want to make sure that my randomly chosen password would take on the order of 10^12 guesses to break, then I need an 8-character password. But if I'm allowed to use punctuation characters and spaces in my password too, I could get the same level of security with a 7-character password. They could reduce their storage space by a huge 12.5%!

In theory, they could compress passwords in the database so their length represents the amount of information, not the number of characters. In that case, they would use the same amount of disk space no matter how many characters they let you use! For example, passwords that could only use As and Bs would be very long but would compress to the same size as very short passwords that could use any Unicode character and contained the same amount of information.

Point: Q

(this all made me go find this reference again: https://xkcd.com/936/)