Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top E-commerce Sites Fail To Protect Users From Stupid Passwords

Posted by timothy on from the use-uno-dos-tres-instead dept.

Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'" xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.

8 of 162 comments (clear)

  1. Re:Top gun manufacturers fail to protect users by causality · · Score: 4, Insightful

    From pointing the gun at their face.

    Indeed. And "rules that require even more complexity in passwords" backfire because the notion of protecting people from themselves is fundamentally flawed. Note the way you practically never see this notion questioned in any headline or summary.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  2. not really a huge deal... by Connie_Lingus · · Score: 4, Informative

    it's a lot harder to actually steal money online then people think.

    --
    never bring a twinkie to a food fight.
    1. Re:not really a huge deal... by Anubis+IV · · Score: 4, Interesting

      From what it sounds like, stealing money is harder than people think (myself included until I just read through that rather great link), but it's far from impossible. Moreover, a large part of the paper makes the point that it's not the customer who had their password stolen that will suffer the financial damage, but rather the person who owns the account that's used as a mule to move the funds, meaning that there's still a victim, just not who we thought.

      For instance, if they get your password, they can't just cash your account out, since they don't have your ATM card, your PIN, or your government-issued ID. They first need to transfer the money to an account they control. But they don't want that account linking back to them either, which is where those spam e-mails about someone having $10,000 for you come into play. They'll send a person your $10,000 in exchange for that person sending them a $1000 "commission", and that person will then be scammed out of the $1000 they paid as a commission when you repudiate the $10,000 transfer and it's removed from their account. They're partially to blame too, of course, since they've allowed themselves to be taken in by an obvious scam, but its the people engaging in bad password practices (both users and developers) that are enabling the scammers to scam in the first place.

  3. ...and this wont change because by mnt · · Score: 3, Insightful

    users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

  4. Slashvertisement. by khasim · · Score: 5, Informative

    Vendor of X does a study showing that people would be safer using X.

    The easiest way to create and remember strong passwords is with a password manager, like Dashlane, which generates unique passwords for you, saves them to your account, and autofills them online.

  5. My bank enforces stupid passwords by allsorts46 · · Score: 3, Interesting

    I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters. None of the several bank staff I asked about it could tell me why that is.

  6. Re:correct horse battery staple by Holladon · · Score: 3, Interesting

    Eh. It kinda works. If your goal is to invade Amazon accounts using the method laid out in the strip, it's that much easier to do because by allowing you to use anything for a password, they're more likely to have people using simple repeat passwords that, even if not common for everyone, are common for the user. If those sites had more stringent requirements, you couldn't use your childhood dog's name as a password like you've been doing for various account passwords since high school.

    But yeah -- this xkcd was probably the more applicable strip.

  7. They're probably not hashing them. by khasim · · Score: 3, Informative

    I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters.

    That means that they're probably storing them in a database where the field is set to 14 characters. Possibly in plain text.

    If they were hashing them (with or without a salt) then they wouldn't care if your password was larger. As long as it still fit into the buffer they've assigned to it. Because the hash of a 1 character password should be the same length as the hash of a 256 character password.

    Be worried about that bank's security.