Here's how well the top 100 online retailers secure your password

By on January 27, 2014, 1:50 PM
amazon, apple, walmart, groupon, best buy, toys r us, online retailers

Many of us take for granted how secure our credit card and banking information is when purchasing goodies online. Even though a retailer may have a generally good reputation, it doesn't necessarily mean it treats your private financial data with the kind of sensitivity and respect it should. A new study has surfaced that ranks how well the most popular online retailers handle your data, and you might be surprised to see who's at the bottom of the list.

The study, conducted by password management company Dashlane, uses a series of criteria to judge how well each of the world's top 100 retailers secure user passwords. The criteria consists of things like whether or not the retailer will accept insecure or weak passwords as well as how secure emails from the company containing your private data are. According to the study, between 55 and 70% of the world's top online retailers allow users to create very weak passwords, with sites like Amazon, Best Buy, Macy's and others all allowing logins after 10 incorrect attempts. Using a simple scoring system from -100 to 100, each site is ranked based on their password security policies.

While there are a number of surprising rankings on the list, one that might not be so surprising is Apple. The company was the only retailer to score a perfect 100, with the next closest being Microsoft with a 65. Next up, we see Chegg and Newegg in the third and fourth position, with a 65 and 60 respectively. Target scored a 60 as well and landed in the number 5 spot, which might be surprising to some after the company admitted that a large amount of encrypted debit card PIN data was stolen from its system during a Black Friday attack.

Some of the more worrisome rankings come from major retailers like Amazon and Walmart, who both scored a lackluster -40 on the Dashlane chart. You'll also find Toys R Us, Dick's Sporting Goods, Hulu, Disney Store and Groupon among the worst of the most popular online retailers, all of which landing a -45 or worse.

Here's a quick look at the top 10:

Apple 100
Microsoft 65
Chegg 65
Newegg 60
Target 60
Williams-Sonoma 55
CDW 50
Amway 45
Musician's Friend 45
Nike 45

…and the bottom 10:

1-800 Flowers -46
Vitacost -50
Nutrisystem -50
American Girl -50
J. Crew -55 
Toys R Us -60
Aeropostale -60
Dick's Sporting Good -65
Karmaloop -70
MLB -75

Head over to Dashlane's full report for a complete look at the list.

(Image via Shutterstock)




User Comments: 15

Got something to say? Post a comment
OneSpeed said:

How safe can it be if the servers are located in the US? NSA will have access, if they don't already. Remember the article here saying how Apple is agreeing with the NSA on allowing certain phones be handle by the NSA before they are delivered to the customers? Perfect 100...

2 people like this | cliffordcooley cliffordcooley, TechSpot Paladin, said:

"According to the study, between 55 and 70% of the world's top online retailers allow users to create very weak passwords, with sites like Amazon, Best Buy, Macy's and others all allowing logins after 10 incorrect attempts. Using a simple scoring system from -100 to 100, each site is ranked based on their password security policies."

If the consumer wants to use a weak password, why should the retailer care? This has nothing to do with how secure everyone else is while using the retailer.

OneSpeed said:

In the end, it doesn't matter.

1 person liked this | davislane1 davislane1 said:

If the consumer wants to use a weak password, why should the retailer care? This has nothing to do with how secure everyone else is while using the retailer.

Because it only takes one ***** getting five minutes of fame in the news to hurt sales. You have to remember, we don't live in a culture of personal responsibility anymore. If someone gets hosed because of their own cavalier approach to financial security, it's not their fault -- it's the fault of the retailer for not providing them adequate protection from themselves.

MilwaukeeMike said:

Because it only takes one ***** getting five minutes of fame in the news to hurt sales. You have to remember, we don't live in a culture of personal responsibility anymore. If someone gets hosed because of their own cavalier approach to financial security, it's not their fault -- it's the fault of the retailer for not providing them adequate protection from themselves.

Funny timing on this one... I just got an email from a friend regarding a website called www.kppmd.com. it's a weight loss website and the ad for the website promotes a book of the same title called 'It's not your fault you're fat'. I haven't read the book though, so I don't know whose fault it is

I can see both sides of this one though.... being forced to use an extra strong password also makes it hard to remember. Requirements for capitals and numbers etc mean the password for that site will probably be unique from other password they use. Great for security, except for many people the difficulty in remembering prompts them to write it down.

cliffordcooley cliffordcooley, TechSpot Paladin, said:

You have to remember, we don't live in a culture of personal responsibility anymore.
I suppose you are right, which also describes the foundation of flaws with our culture.

Guest said:

I can see both sides of this one though.... being forced to use an extra strong password also makes it hard to remember. Requirements for capitals and numbers etc mean the password for that site will probably be unique from other password they use. Great for security, except for many people the difficulty in remembering prompts them to write it down.

There's an easier solution to their password woes. It's called password manager. They only need to remember one password for their password manager, and then it will remember all your other passwords. The world would be a better place If everyone start to use password managers.

1 person liked this | cliffordcooley cliffordcooley, TechSpot Paladin, said:

And if you become a target, only one password would need to be broken. But then the topic is how irresponsible the retailers are, not the consumers who choose to purchase from them. Consumer irresponsibility had nothing to do with Target's latest incident. Pointing a finger at consumers is nothing more than an escape goat.

1 person liked this | tonylukac said:

On the mainframe at the university of illinois at chicago we had a house created system (acf1, predecessor to acf2 security which the authors got millions from), that did similar things you're talking about; 3 logon attempts and hashed passwords, etc. in 1976, or earlier. What did we do, reinvent the wheel? The nsa had to know the hashing algorithm. The truth.

modonn said:

Justin, inferring that password strength for public accounts gives an indication of how securely these corps secure our data is weak at best and the overall tone of this article is misleading. BTW your site accepted an extremely weak, very short, alphabetical, single case, dictionary word as my password for this account that you forced me create in order to comment.

mailpup mailpup said:

Modonn, you do not have to create an account to comment in the TechSpot News and Comments forum.

rub900 said:

The Wal-Mart comment is ********. It brings the whole study into question.

MonsterZero MonsterZero said:

You forgot Target - 0

GeforcerFX GeforcerFX said:

Link is messed up for the full report, it takes you to the target article just like the other link.

wiyosaya said:

Personally, I always delete my credit card information from any web site that I use. Newegg is nice in that it allows you to use a credit card without saving the card info. Yes - I understand that credit card info is attached to previous orders, however, it seems more secure if I do not leave them on file with any online company, and enter it each time I order something. To me, that is much less of an inconvenience than having my cards stolen.

Amazon, in contrast to Newegg, does not allow a choice to save the card or use it one time. They seem bent on convenience and getting their customers to buy as much garbage as possible rather than on the security of their users. I do give them a small amount of credit - pun intended - in that they allow you to remove your credit card, but they make it a more complicated task in that users must go to their account, choose "Manage Payment Options" and then delete any card that they do not want on file. Amazon recently changed that page in that it is now a drop down and in order to see the delete button, you must activate the drop down.

I also do not leave my address, either, and for sites that require entries in the address field, such as Newegg, I enter valid garbage. Otherwise, I get junk snail mail from them. For anyone who wants to aggressively stop junk snail mail in the US, research US Postal Service form 1500. The form has been all the way to the supreme court in the US, and has been ruled legal to use even though you must declare that you consider that any junk mail that you receive is "porn."

IMHO, online stores want to store too much information that they simply do not need.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.