Apple.com does more to protect your password, study of top 100 sites finds

Apple, Microsoft, Chegg, Newegg, and Target do the best job of safeguarding customer passwords, according to a comprehensive study of the top 100 e-commerce websites that also ranked Major League Baseball, Karmaloop, Dick's Sporting Goods, Toys R Us, and Aeropostale as performing the worst.

Apple.com was the only site to receive a perfect score of 100, which was based on 24 criteria, such as whether the site accepts "123456" and other extremely weak passwords and whether it sends passwords in plaintext by e-mail. Microsoft and academic supplier Chegg tied for second place with 65, while Newegg and Target came in third with 60. By contrast, MLB received a score of -75, Karmaloop a -70, Dick's Sporting Goods a -65, and Aeropostale and Toys R US each got a -60. Each site was awarded or deducted points based on each criterion, leading to a possible score from -100 and 100. The study was conducted by researchers from password manager Dashlane based on the password policies in effect on the top 100 e-commerce sites from January 17 through January 22.

An epidemic of poor passwords

Amazingly, 55 percent of the sites accepted weak passwords such as "123456" and "password," while Toys R US, J.Crew, 1-800-Flowers.com, and five other sites sent passwords as plaintext in e-mails. Sixty-one of the sites provided no advice on how to create a strong password when creating an account, while only seven sites provided any type of on-screen meter to help assess the strength of a chosen password.

Results from studies and previous website breaches show that a large percentage of people use the same password to secure multiple accounts. By allowing users to choose weak passwords, sites help contribute to an epidemic of poor security hygiene that can follow users from site to site. Conversely, websites that follow a handful of simple policies help break the cycle. The policies include requiring users to choose passwords at least eight characters long containing a mix of letters, numbers, and symbols; blocking account access after four failed login attempts; providing users with on-screen advice for choosing strong passwords; and providing a password strength meter.

"Some retailers may argue that such requirements impede user convenience, but companies such as Apple, arguably the most famous brand on the list, have shown that it is possible to be both secure and successful," Dashlane officials wrote in a press release announcing the ranking. "In every category we tested, Apple implemented the four simple policies and procedures we recommend above. The policies resulted in the company being awarded the only perfect score in the study."

There are a few points in the Dashlane study that are worth quibbling with. First, locking an account after four failed attempts opens users to denial-of-service attacks that are extremely easy to carry out. What's more, the types of protections in place to prevent password guessing attacks isn't always obvious to an end user. Just because Dashlane researchers didn't observe Amazon.com and other sites doing anything to limit failed login attempts doesn't necessarily mean they don't do things to prevent online cracking attacks.

The study also didn't gauge several important criteria that are crucial for safeguarding passwords. For instance, do any of the sites allow users to enter passwords through unencrypted HTTP connections? Are password reset links available in HTTP? Do any of the sites allow users to reset passwords using easily guessed security questions? And are passwords hashed using a slow algorithm such as PBKDF2 when they're stored in databases? Also, as Ars has explained before, many meters gauging the strength of user passwords aren't worth the bits they run on. Poorly implemented meters do users a disservice by giving them a false sense of security. Dashlane researchers do nothing to separate effective ones from ineffective ones. Also noticeably absent is any measure of which sites offer two-factor authentication.

Still, the study is useful because it's among the first to scrutinize the password policies that have a huge effect on the collective strength of Internet passwords. Here's hoping Dashlane and other researchers provide follow-up analysis. It will be interesting to see how or if website rankings change over time.

The complete ranking follows:

e-Retailer	Score
Apple	100
Microsoft	65
Chegg	65
Newegg	60
Target	60
Williams-Sonoma	55
CDW	50
Amway	45
Musician's Friend	45
Nike	45
Best Buy	40
WW Grainger	40
Walgreens	40
Express	40
Sony	35
Abercombie & Fitch	35
Bass Pro Outdoor	35
CVS	35
MSC Industrial Supply	30
Hayneedle	30
Oriental Trading Co.	30
The Children's Place Retail Stores	30
OfficeMax	25
Nordstrom	25
Deluxe Corp.	25
Crate and Barrel	25
American Eagle	24
Ann Inc.	20
Sears	19
Dell	19
Neiman Marcus	19
Saks	14
Lowe's	14
LL Bean	10
Avon Products	4
DSW	4
JC Penney	-5
Foot Locker	-6
Costco	-10
Gap	-10
Green Mountain Coffee	-10
GameStop	-11
Chico's FAS	-11
Gilt Groupe	-13
Estee Lauder	-15
PC Connection	-18
HSN	-25
Etsy	-25
The Home Depot	-25
Staples	-30
Barnes and Noble	-30
ShopNBC	-30
CafePress	-30
Office Depot	-35
Macy's	-35
HP Home/Office Store	-35
Rakuten	-35
Cabela's	-35
Ralph Lauren	-35
Build	-35
Sierra Trading Post	-35
Northern Tool	-37
Amazon	-40
Walmart	-40
Kohl's	-40
Fingerhut (Bluestern Brands)	-40
Scholastic Inc.	-40
Eddie Bauer	-40
1 Sale a Day	-40
Victoria's Secret	-44
Overstock	-45
Vistaprint	-45
Fanatics	-45
Urban Outfitters	-45
Shutterfly	-45
Wayfair	-45
PCM	-45
Groupon	-45
REI	-45
Blue Nile	-45
Fresh Direct	-45
RueLaLa	-45
Zulily	-45
1-800 Contacts	-45
Disney Store	-45
Net-A-Porter	-45
Hulu	-45
Shoebuy	-45
Edible Arrangement	-45
Restoration Hardware	-45
1-800 Flowers	-46
Vitacost	-50
Nutrisystem	-50
American Girl	-50
J. Crew	-55
Toys R Us	-60
Aeropostale	-60
Dick's Sporting Good	-65
Karmaloop	-70
MLB	-75