Top E-commerce Sites Fail To Protect Users From Stupid Passwords

Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'" xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.

not really a huge deal...

[Connie_Lingus]

it's a lot harder to actually steal money online then people think.

Slashvertisement.

[khasim]

Vendor of X does a study showing that people would be safer using X.

The easiest way to create and remember strong passwords is with a password manager, like Dashlane, which generates unique passwords for you, saves them to your account, and autofills them online.

They're probably not hashing them.

[khasim]

I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters.

That means that they're probably storing them in a database where the field is set to 14 characters. Possibly in plain text.

If they were hashing them (with or without a salt) then they wouldn't care if your password was larger. As long as it still fit into the buffer they've assigned to it. Because the hash of a 1 character password should be the same length as the hash of a 256 character password.

Be worried about that bank's security.