Unsafe Password Policies Leave Holiday Shoppers Vulnerable Online According to
Dashlane Security Study
Top Findings:





80% of sites do not meet the minimum secure password threshold
72% of sites do not require passwords with a capital letter and a number or symbol
32% of sites accept the ten most common passwords, including “password”
Strongest Sites: Apple, Target, Best Buy, Newegg, Bed Bath & Beyond
Weakest Sites: Dick’s Sporting Goods, Zulily, Walmart, Cabela’s, Amazon
NEW YORK - Almost 50% of 2015 holiday spending will be online, and a new study by password manager Dashlane
found that a majority of America’s most popular ecommerce sites have unsafe password practices.
Apple received the only perfect score, which they also received in each of Dashlane’s previous Security Roundups.
Target, Best Buy, Newegg, and Bed Bath and Beyond were the only other sites to receive passing scores.
Dick’s Sporting Goods received the lowest score. Amazon and Walmart were among the sites receiving the worst scores.
Click for the full study results and embeddable media:
Dashlane.com/internet-security-roundup/ecommerce-2015*
NOTE: All citations and references to the study should link to the page above.
Dashlane’s 2015 Ecommerce Security Roundup examined password security policies on 25 of the most popular online
retailers. Dashlane tested 22 criteria, and each criterion was given a +/- point value that enabled a website to receive a
score between -100 and +100. A score of +50 is Dashlane’s minimum requirement for good password practices.
1. Bad Password Policies
Passwords are the first line of defense to keep personal data safe online. It’s easy for even the most basic website to
implement strong password requirements, yet some of America’s largest online retailers are leaving their users exposed
due to their weak password requirements.
Dashlane CEO Emmanuel Schalit, a Ph.D. in computer science, states, “A strong password is at least eight random
characters long, and contains a mix of capital letters, lowercase letters, and numbers and/or symbols. This complexity is
what keeps hackers from easily guessing your password.”
Dashlane’s testers found that 72% of the sites they examined do not require users to have a capital letter and
number/symbol combination in their password. They also found that 56% of sites allow users to have a password less
than eight characters long, including IKEA, Macy’s, and eBay.
1
80% of the sites Dashlane examined did not meet the minimum score of +50, and 44% received negative scores,
indicating they have dangerously weak password requirements.
Of greater concern was that nearly 1/3 (32%) allow users to use 10 of the most common (and weakest) passwords as
their password. This means users on sites such as REI, Wayfair, Walmart, and Amazon can use easily guessable and
unsafe passwords, such as ‘password’, ‘abc123’, and ‘123456’.
2. The Winners
Although the majority of sites performed poorly, there were a select few that achieved high scores.
For the third time in a row, Apple received a perfect score and was the highest ranked site in the Dashlane study. Apple
requires long, complex alphanumeric passwords, and does not accept easily hackable passwords. Several notable sites
also have strong password requirements, including Target, ToysRUs, Best Buy, and Bed Bath and Beyond.
“Apple’s password security policies should serve as the gold standard for online retailers,” says Schalit. “By requiring
their customers to create strong passwords they are ensuring they have a strong first line of defense. We applaud other
retailers, such as Best Buy and Target, who have also made great strides towards in making password security a
priority.”
2
3. Brute Force and Social Engineering
Another reason sites should require strong, complex passwords is to protect their users from brute force and social
engineering attacks.
A brute force attack involves a hacker creating a simple software tool that can force feed millions of passwords into a
login screen in an attempt to hack an account. Social engineering is when a hacker can piece together open source
personal information and use it to guess someone’s login information.
“In both cases, if a user’s account is not protected, either through a security measure such as a CAPTCHA pop-up or
locking of the account, a hacker can continue to attempt their breach unimpeded,” says Schalit. “It’s scary how simple
both of these processes are, which is why it is critical that ecommerce sites deploy measures to protect their users from
such attacks.”
Dashlane examined all of the sites in the study to see if they employed these security measures. The testers found that
36% allowed 10 or more repeated logins without any secure measures being deployed. This means that an automated
software tool, or a hacker, can repeatedly try password combinations to hack into accounts without any consequences.
3
4. Stronger Requirements, Stronger Password Security
In previous roundups, Dashlane compared website security scores with the average user password strength. In the past,
there was a strong correlation between a site’s security score and the strength of a user’s passwords.
Dashlane found a similar correlation between the 2015 ecommerce password requirements and how strong users’
passwords were. Apple, Best Buy, and Bed Bath and Beyond had some of the most stringent password requirements,
and these three sites also had three of the strongest average password strengths.
On the opposite end of the spectrum were sites such as Zulily, Cabela’s and 1800Flowers.com, which received some of
the lowest security scores, and also had some of the worst overall password strengths.
4
5. Progress: 2014 vs. 2015
The Ecommerce Roundup is Dashlane’s third security roundup since 2014. The 2015 Ecommerce Roundup was more
focused on only the top retailers. A comparison can be made between the previous editions as the majority of the
testing criteria remained the same and many of the same sites were examined.
There were some improvements in the performance of the websites:




The percentage of sites with negative scores decreased from 53% to 44%
The percentage of sites that allow 10+ brute force logins decreased from 51% to 35%
The percentage of sites that accept the ten worst passwords decreased from 43% to 32%
The percentage of sites that scored below +50 decreased from 86% to 80%
Two examples of sites improving their scores with better password policies were Best Buy and Overstock. Both retailers
saw their scores inrease because they required their users to create more complex and secure passwords.
“It is encouraging to see positive password security trends in the world of ecommerce,” says Schalit. “Yet, while the
numbers indicate retailers are moving in the right direction, much work remains. It’s 2015, so no website has an excuse
for not implementing security policies that will better secure their users.”
6. Full Results
Brand
Security Score
Rank
Apple
Target
Best Buy
Newegg
Bed Bath and Beyond
Toys R Us
eBay
The Home Depot
Nike
Williams-Sonoma
Nordstrom
QVC
Sears
Overstock
Macy's
IKEA
Staples
Wayfair
REI
1800Flowers.com
+ 100
+ 85
+ 70
+ 70
+ 55
+ 40
+ 30
+ 30
+ 20
+ 20
+5
+5
+5
+4
-15
-25
-30
-30
-40
-41
1
2
3
3
4
5
6
6
7
7
8
8
8
9
10
11
12
12
13
14
5
Amazon
Cabela's
Walmart
Zulily
Dick's Sporting Goods
-45
-45
-65
-65
-70
15
15
16
16
17
Dashlane makes identity and payments simple with its password manager and secure digital wallet app. Dashlane allows
its users to securely manage passwords, credit cards, IDs, and other important information via advanced encryption and
local storage.
Dashlane has helped over 3.5 million users manage and secure their digital identity, and has enabled $4 billion in
ecommerce transactions. The app is available on PC, Mac, Android, and iOS, and has won critical acclaim from top
publications, including: The New York Times, The Wall Street Journal, and USA Today.
Dashlane is free to use on one device and Dashlane Premium costs $39.99/year to sync between an unlimited number of
devices. Dashlane was founded by Bernard Liautaud and co-founders Alexis Fogel, Guillaume Maron, and Jean Guillou.
The company has offices in New York City and Paris, and has received $30 million in funding from Rho Ventures,
FirstMark Capital and Bessemer Venture Partners.
Learn more at Dashlane.com
Methodology
The study was conducted by Dashlane from October 19 – November 2, 2015. Dashlane examined 25 popular ecommerce websites.
Each site was analyzed based on a set of 21 criteria. A criterion carried positive weight when it added security and negative when it
added risk, giving each web site a total possible Dashlane Security Score between +100 and -100. The study used aggregated,
anonymous password strength statistics (with no access to the passwords themselves) from random Dashlane accounts. No
Dashlane employee is ever able to view the data of any Dashlane user account. For more information on Dashlane’s privacy policy,
please click HERE.
6
###
7