What do Major League Baseball, Dick’s Sporting Goods, Toys R Us, and Aeropostale have in common? You probably won’t want to know the answer if you’re a regular online shopper or visitor to these sites. That’s because they are among the very worst at protecting your password and online security!
A company called Dashlane analyzed the password policies on the top 100 e-commerce sites. They asked 24 online security questions about the account creation process (for example, are alpha-numeric passwords mandatory?) and the change/reset password process (for example, is the new permanent password visible in the confirmation email?).
The big winner was Apple.com, which scored a perfect 100 based on the 24 survey questions.
In comparison, Major League Baseball received a score of -75 (yep, that’s a negative 75!), falling slightly worse than Dick’s Sporting Goods at -65 and retailers Aeropostale and Toys R US, both tied at -60.
Why does this matter? Why should consumers care that MLB and online retailers are living in the Dark Ages when it comes to online security?
The most logical reason to be alarmed is that most e-commerce sites store your credit card number. Plus, a hacker who gains access to one password will generally have a much easier time attempting to use that password on other websites. This could include your online bank account, or your social media accounts, and on and on, since most people tend to repeat the same passwords on multiple websites.
Consider the mess that Target has been cleaning up since its admission two months ago that 40 million credit and debit card accounts were stolen. That mess has led to the theft of personal information, including email addresses and names, of as many as 70 million customers. Now consider that these sorts of sophisticated retail data hacks are more widespread than initially thought.
Here are some other key findings from Dashlane’s e-commerce password study:
- 55% still accept notoriously weak passwords such as “123456” or “password.”
- 51% make no attempt to block entry after 10 incorrect password entries (including Amazon, Dell, Best Buy, Macy’s, and Williams Sonoma).
- 64% have highly questionable password practices (receiving a negative total score in the roundup).
- 61% do not provide any advice on how to create a strong password during signup, and 93% do not provide an on-screen password strength assessment.
- Only 10% scored above the threshold for good password policies (i.e., 45 points or more in the roundup).
- Eight sites, including Toys “R” Us, J.Crew, and 1-800-Flowers.com, send passwords in plain text via email.
Remember, your password is a barricade between you and your account. Passwords should be long (more than 8 characters) and complex (include a letter, number, a mix of upper and lower case letters, and/or symbols).