Forgot your password?
typodupeerror
Security IT

Top E-commerce Sites Fail To Protect Users From Stupid Passwords 162

Posted by timothy
from the use-uno-dos-tres-instead dept.
Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'" xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.
This discussion has been archived. No new comments can be posted.

Top E-commerce Sites Fail To Protect Users From Stupid Passwords

Comments Filter:
  • by suso (153703) * on Tuesday March 11, 2014 @03:21PM (#46456881) Homepage Journal

    Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:

    "(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"

    • by Number42 (3443229)
      A 250-character password isn't nearly strong enough. The company's limiting my safety by not allowing the extremely secure 10×10^10 character password I thought of!
    • Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:

      "(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"

      That's nothing - A company I once worked for allowed passwords such as "Charlie5", but not a 10-character sequence of random alphanumerics (too long - 10 characters is too long a password!!!), or anything with a special character.

      Were I a betting man, I'd put money down that not a thing has changed.

      • They didn't want you entering anything that wasn't in their set of rainbow tables.

      • by Quirkz (1206400)

        When I first registered online with a credit card company in the 90's, they limited me to 4 characters. I think they were still in a PIN mindset. That got fixed eventually, but not for years.

  • by Connie_Lingus (317691) on Tuesday March 11, 2014 @03:24PM (#46456931) Homepage

    it's a lot harder to actually steal money online [microsoft.com] then people think.

    • by Anubis IV (1279820) on Tuesday March 11, 2014 @04:19PM (#46457471)

      From what it sounds like, stealing money is harder than people think (myself included until I just read through that rather great link), but it's far from impossible. Moreover, a large part of the paper makes the point that it's not the customer who had their password stolen that will suffer the financial damage, but rather the person who owns the account that's used as a mule to move the funds, meaning that there's still a victim, just not who we thought.

      For instance, if they get your password, they can't just cash your account out, since they don't have your ATM card, your PIN, or your government-issued ID. They first need to transfer the money to an account they control. But they don't want that account linking back to them either, which is where those spam e-mails about someone having $10,000 for you come into play. They'll send a person your $10,000 in exchange for that person sending them a $1000 "commission", and that person will then be scammed out of the $1000 they paid as a commission when you repudiate the $10,000 transfer and it's removed from their account. They're partially to blame too, of course, since they've allowed themselves to be taken in by an obvious scam, but its the people engaging in bad password practices (both users and developers) that are enabling the scammers to scam in the first place.

  • by mnt (1796310) on Tuesday March 11, 2014 @03:25PM (#46456939)
    users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.
    • by tlhIngan (30335)

      users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

      Well, the first question I have is... why?

      I mean, I run into websites that declared themselves so important that the password HAD to be complex. Which is great, except I only accessed it once every few months, and ended up clicking "Forgot Password" anyways because they wouldn't ac

      • I don't mind strong passwords at sites that I'll never visit again, because I won't have to remember it (and if I do come back, I just hit the "I forgot my password" button).

        It's the sites that I go to infrequently that drive me nuts.

      • I mean, I run into websites that declared themselves so important that the password HAD to be complex [but] all the site had were software downloads.

        Might it have been to keep an intruder from pretending to be you and redownloading the software you paid for? Or maybe I guess my mind got clouded by today's story about Steam...

      • by swv3752 (187722)

        I had this with my Gas Utility company. I can only see the last couple of digits of credit card. The worst someone could is pay my bill before I am ready, or see how much gas i am using. Why do I need to use a 16 character alphanumeric case sensitive password that requires multiple special characters. I work in IT and have to maintain strong passwords, even on government HIPAA systems, and the gas company is more stringent.

        I have ended up setting up an auto-pay and have not touched the account in two ye

  • Slashvertisement. (Score:5, Informative)

    by khasim (1285) <brandioch.conner@gmail.com> on Tuesday March 11, 2014 @03:25PM (#46456949)

    Vendor of X does a study showing that people would be safer using X.

    The easiest way to create and remember strong passwords is with a password manager, like Dashlane, which generates unique passwords for you, saves them to your account, and autofills them online.

  • by allsorts46 (1725046) on Tuesday March 11, 2014 @03:26PM (#46456957) Homepage

    I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters. None of the several bank staff I asked about it could tell me why that is.

    • by Drethon (1445051)
      My bank tells you if you entered an invalid user name. Not particularly thrilled about that.
      • Re: (Score:2, Insightful)

        by tepples (727027)

        My bank tells you if you entered an invalid user name.

        Attempting to create a new account with that username, attempting to begin the password reset process, or attempting to send money to that user would disclose the same.

        • by reikae (80981)

          Password reset process maybe, but wouldn't creating an account (in the online banking sense, not a bank account) require a visit to the branch in person? That's what I remember doing quite a few years ago when I started doing banking online. Money transfers use IBANs or a similar system of account numbers, which are separate from login usernames.

          • Password reset process doesn't necessarily need it either. You can just tell the user '*if* you entered a valid username, we're sending you reset instructions', without revealing whether there was a match or not.

          • but wouldn't creating an account (in the online banking sense, not a bank account) require a visit to the branch in person?

            I opened accounts with Ally (a bank) and PayPal (not technically a bank but they act like one) while living in Fort Wayne, Indiana. Ally and PayPal have no branches there.

            Money transfers use IBANs or a similar system of account numbers, which are separate from login usernames.

            A PayPal user sends money to another PayPal username, which is an e-mail address. Chase is starting a similar system called Chase QuickPay.

            • by reikae (80981)

              I see. I wonder what benefits Chase sees in the system; it seems to me that security-wise there is a downside in using login usernames for payment addressing. I'm not familiar enough with US banking to figure out the upsides, but most probably the system will lower costs somehow.

    • by Scutter (18425)

      My bank just implemented a new password policy. "Between 6-10 characters, the first two should be 'XX' and the rest must be letters and numbers, with at least one of each type". I just finished sending them an e-mail in which I included a helpful link to some rainbow tables.

      • by mmell (832646)
        So you're actively trying to get yourself arrested?
      • My bank just implemented a new password policy. "Between 6-10 characters, the first two should be 'XX' and the rest must be letters and numbers, with at least one of each type". I just finished sending them an e-mail in which I included a helpful link to some rainbow tables.

        I believe you just won the Internet.

    • One of my bank sites doesn't allow special characters. Only letters & numbers.

    • by khasim (1285) <brandioch.conner@gmail.com> on Tuesday March 11, 2014 @03:57PM (#46457277)

      I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters.

      That means that they're probably storing them in a database where the field is set to 14 characters. Possibly in plain text.

      If they were hashing them (with or without a salt) then they wouldn't care if your password was larger. As long as it still fit into the buffer they've assigned to it. Because the hash of a 1 character password should be the same length as the hash of a 256 character password.

      Be worried about that bank's security.

    • by sudon't (580652)

      How about that, so does my bank. I'm only allowed to use letters and numbers. I forget what the length limit is, but yeah, short for that kind of simple password. I have much better passwords for forums.

      allsorts asks, "Why?" The only thing I can can come up with is they're too lazy to write the regex.

      I've been railing about this for years, but since we're on passwords: Password Manager. They've had a decent one in OS X (Keychain) since at least 2002, which is how far back my saved passwords go. Since I b

  • by TheSwift (2714953) on Tuesday March 11, 2014 @03:29PM (#46456997)
    This is getting effing ridiculous.

    https://www.youtube.com/watch?v=jQ7DBG3ISRY

  • by SGDarkKnight (253157) on Tuesday March 11, 2014 @03:33PM (#46457027)

    1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage! [Sandurz and Darth Helmet look at each other in horror]

  • I love how the submitter headed us off.
  • Sigh. My obvious password detector [animats.com], published in 1984:

    The algorithm used requires that the length of the password be within configurable length limits, and that the password not have triplet statistics similar to those associated with words in the English language. This is an inversion of a technique used to find spelling errors without a full dictionary. No word in the UNIX spelling dictionary will pass this algorithm.

    Users should be advised to pick a password composed of random letters and

    • by dkf (304284)

      My obvious password detector [animats.com], published in 1984

      I came across this password strength detector [dropboxusercontent.com] the other day. It really cheered me up, as it uses a scientifically-justifiable approach (information entropy FTW!) and it laughs in the face of a number of tricks that many people recommend despite them being actually weak (replacing "o" with "0" only really adds one bit of security, which is nearly nothing, whereas adding another word adds far more despite being easier to remember).

  • 1) A bunch of sites that insist on using a password when they don't really need one. Prime example: Amazon. They don't really need a password as long as they don't keep your credit card on file - which they certainly should NOT do. My neighborhood grocer does not ask to keep my credit card # on file no matter how 'convenient' (for whom???). If you want to discuss past trades use the last 4 digits of the credit card you used for those trades as an ID.

    2) A bunch of sites that have legitimate needs for

    • by mmell (832646)
      Amazon - sending you stuff in the mail. You claim you didn't order it? You don't have to pay for it. Amazon has to give you your money back if they can't prove their end of the transaction, so the credit card company gives you back your money and dukes it out with Amazon in court.

      Those other guys - somebody runs up to 'em with a subpoena and says "Who did what from where when?" It'd sure be nice if I could keep a straight face when I let them into my database - something about staying out of Club Fed .

    • But, if they're not keeping your credit card # they can't do the one-click order thing. I do get kinda annoyed having to type my credit card in every time, but I realise that it's nothing compared to the annoyance of having it stolen.

      Since the story already had the obligatory xkcd, here's an oatmeal which also describes it: http://theoatmeal.com/comics/s... [theoatmeal.com] . To paraphrase: if I want a shitty password and don't care if it gets stolen, why shouldn't I?

    • I think Amazon does give you the option of storing your credit card number. Some of their customers think this is a nice convenience, and are likely to take their money elsewhere if Amazon doesn't offer this "service" (or maybe it just makes impulse sales easier).

  • When you use the above merchants to pay, only the money is transferred and no re-usable billing information like credit card info is sent to the recipient of the funds. So when doing ecommerce you don't have to put your CC# everywhere on the internet then wonder why you've got credit card fraud.

    In some cases you can set up or are forced to automatic authorization from PayPal, but you can revoke that immediately. PayPal really is the safest way to pay. No comment on the rest of PayPal's operations though (di

  • I think the right strategy for websites which have to do user registration is to just provide the user with a random password of sufficient length as to be near impossible to type correctly, much less remember, and don't even provide the functionality for users to select their own. This almost insures that the password won't be used elsewhere, it enforces password quality, and it encourages the use of a good password manager.

    • The funny thing is, when I forget my password, some sites reset me to a pw like that - then make me change it to something memorable.

    • by jader3rd (2222716)

      encourages the use of a good password manager

      Lol!
      All that would really encourage is people not using the website. If Kellogs.com customer loyalty reward website assigned me a ginourmus password, using characters I don't think I could even find on my phones' keyboard, it would encourage me pretty quickly to not use Kellogs products and seek out the competitors product (which would have a more reasonable password policy) when the difference was negligible to me.

    • by x0ra (1249540)
      Good password manager ? I consult regular website from 5 or 6 differents machine (including laptop, desktop, tablet, phone, ipod,...), all running different kind of OS. There is NO password manager for this, which is typical nowadays.
  • I'm starting to have problems with differing rules at different sites.

    I.e. one REQUIRES a special character. Another disallows special characters.

    One has a maximum length of 8 (crazy short) while others have a minimum length of 8 characters.

    And all of them won't let you reuse a recent password so if you can't remember the password, then your new password can't follow your own password rule set.

    It's reached a point that now i have a sticky pad with coded passwords written down.

    Netflix has been a pain becaus

    • by Khashishi (775369)

      Differing rules is kind of a good thing, because then you can't reuse the same password on different sites.

      • I don't reuse the same password- but I can't even follow the same password generation rules/algorithm.

        Which means I must write down the passwords at this point since i have over two dozen passwords- some at sites I visit only once every six months.

        I will check out lastpass that the other poster recommended.

    • My problem is this: too many sites don't even publish their password policies, so I can't even begin to tell what is an acceptable password. I may go to the trouble to use mixed case, only to find out that their password is case-insensitive. Or they may accept a long password but silently truncate it. Or they may not accept special characters, but "tell" me only with an error message when I try one. Or sites that turn right around and *send* me my new password so I won't forget it (again, without tellin

  • In addition to just listing their password requirements, sites could provide a link or bubble help to a method of creating a "good" password. I like:

    1) Pick a short phrase (e.g., "See Spot run.") but that connects to the site to provide some mneumonic value (so "See Spot hurl." might be for your vet).
    2) Do some simple letter to number, symbol or punctuation substitutions (e.g., "S33 Sp0+ hurl.").
    3) If you wish, squish out the blanks between words (e.g., S33Sp0+hurl.).

    So we now have an easy to remember, ele

    • by dskoll (99328)

      Any password-generation algorithm that is not based on a cryptographically-secure random number generator reduces the search space and makes it easier to guess passwords.

      I do not believe in "easy to remember" passwords. I believe in strong passwords, which of necessity are hard to remember, so they have to be written down and stored safely, or stored in a password keeper protected by strong encryption and as long a passphrase as you can get away with.

    • by x0ra (1249540)
      All in all, these are all the worst hints ever:
      1) prone to typo error, especially as the password is generally hidden
      2) number & capitals are a pain on mobile devices
      3) ever harder to remember (ie. where the @!#$ did I put the capital)
      • So, suggest a better method. The requirements are:

        1) Easy to remember.
        2) Not based on a password already in rainbow tables (e.g., dictionary words with all permutations of upper and lower case; simple substitution of letters, numbers or punctuation for letters; etc.)
        3) Not easily guessed from social information.
        4) Typical strong password requirements like must contain both upper and lower case letters, numbers and punctuation (I go though this every 90 days where I work for each password system I have to d

      • So, suggest an alternative. The requirements are:

        1) Easy to remember.
        2) Not a word that is in a password compendium like rainbow tables so no dictionary words or simple upper/lower case permutations or simple substitutions of numbers and punctuation for letters.
        3) Meets recognized strong password criteria (mix of upper and lower case, numbers and punctuation and symbols) and at least 10 characters long.
        4) Not based on something easily obtained socially.

        and add your requirements/critique even though they co

    • and a silly suggestion.

      How many bits of entropy are you actually producing? If you don't know, go to the back of the class.

  • From the report [dashlane.com]:

    66% accept notoriously weak passwords such as "123456" or "password"

    How should a web site determine whether a given password is "notoriously weak"?

    66% make no attempt to block entry after 10 incorrect password entries

    Where does "10" come from, and how long should entry be blocked? We don't want customers to become ex-customers when they discover that they have to make international telephone calls at a dollar per minute or more to get their accounts unblocked.

    60% do not provide any advice

    • by cbhacking (979169)

      Detecting weak passwords is trivial. Here's how you do it: take a password database (there have been lots of leaked passwords from various insecure sites). Sort it by how common the password is, descending order. Require that the user's new password not be in the upper portion (upper thousand or so would probably be a good start) of the list. Update that list periodically, to account for the possibility of password shift.

      For bonus points, do the following:
      Hash every password in the list to make it marginall

  • Me: Additional Information: password "Must be between six and ten characters in length"
    Why does Tesco have such a silly limit???? Please consider increasing the max length of the password!

    I am sorry that you are unhappy with the length of password you can use to register on our website. I have now logged your comments on our Customer Feedback System under reference 13782619. This will ensure that it is fed back to the relevant team in our Head Office.

    That was back in 2012

    • In July 2012 I was searching for car insurance and found it hilarious that More-Than's (morethan.com) password policy at the time was:
      • Be between 8 and 14 characters
      • Not include more than 2 repeated characters in a row
      • Not include the word 'guest'
      • Not contain swear words

      Obviously they're storing the password, and at a guess, the reason for no-swear-words is that their call-centre staff confirm your identity with your password... or something? Whatever. But what's up with not including "guest" in there? It mus

  • We sell software that has an accompanying account for users to download data feeds and related updates. We do not let users pick their own passwords. We give the user a randomly-generated password that he/she has to use.

    There are two major benefits: If we get hacked and all the credentials are stolen, the passwords (with overwhelming probability) will not be usable on any other sites, so our users are safe. Conversely, if another web site used by our users is hacked, then (with overwhelming probabilit

    • by x0ra (1249540)
      I HATE this kind of company. It will no matter what ALWAYS end up the same: "I forgot my password, send me a new one". Heck.. I'm not even able to remember password for my utility company whose I consult every 6 month...
  • Apple, among many, many other services, says that after a certain number of failed attempts, your account is locked and you have to reset your password to regain access.

    This seems stupid to me because if the password kept someone out after X failed attempts it must be strong enough. So why force a new one?

    Experiment: force enough password resets on a user's account until they've run out of strong passwords, then use "password" to get in. Profit!

    • by gatfirls (1315141)

      I don't think you have thought your plan all the way through.

    • by cbhacking (979169)

      Wow, you're trying (and I appreciate that) but you really need to think this through a lot harder!

      1) Password "guessing" isn't done by a human who will get bored. It's automated, and *extremely* fast. Let's say I can submit 10 password attempts per second (practically speaking, even a shitty home connection can probably manage closer to 50; a botnet could manage tens of thousands easily if the login server is up to it). Just because your password isn't in the 10 most commonly used ones doesn't mean it isn't

      • Thought it through just fine, thank you. My plan to take over the world was a jest. My complaint about requiring a password reset after X number of tries is 100% valid. Let's walk this through:

        1) Bot hits my account 10 times. Account is locked. Victory! Bot doesn't get in.

        2) Eventually, I request that the account get unlocked. Company has two choices:

        i. Unlock the account and let me go about my business, secure in the knowledge that I have a password that can't be guessed in 10 tries.
        ii. Force me to choose

  • Let's think about this again... if you think there ought to be a law, there probably oughtn't.
  • by neminem (561346)

    More sites should fail to protect me from using a "stupid" 30-letter-or-whatever-long passphrase just because its algorithm thinks that it's "weak" because it doesn't have 2 numbers and two special characters (but only choose from these 3 specific special characters, because we don't know how to protect against sql injection otherwise!) Let me pick my own frelling password.

    Ok, so it probably makes sense to specifically bar users from using completely butt-tarded passwords like "123" and "password", but only

  • ... job admission forms fail to protected candidates to burn themselves by bad grammar.

    (thanks god Slashdot fails too, as some of you can easily note by my already traditional bad grammar)

  • The bank I used to be with before I recently switched upgraded their security a few months ago. Prior to the upgrade, they actually limited passwords to 10 characters maximum. Thankfully, both this bank after the security upgrade and my current bank don't have any such maximums and I can use a longer password. (and no, the security stuff wasn't why I switched, I switched because I moved to a new area where my old bank didn't have any branches)

    Any web site that limits the maximum amount of characters in this

  • Actual security that will protect people from themselves, costs a lot more than compensating the 2% of that 66% who actually get hacked. Person gets hacked for his own stupidity, company may or may not need to compensate the victim. lets say this amount comes to $100 per 1,000 users as a high estimate pulled out of my ass. Company B uses real security, that somehow completely eliminates fraud, blocks users out after 3 wrong passwords, and requires really complex passwords. Users keep forgetting their passwo
  • Personally, I love password rules.

    The more complex the rules, the smaller my brute force search space, since I can just not look for passwords which don't meet the rules.

  • There is nothing more I hate than websites that made me adhere to their arbitrary password security rules. The more hoops you make me jump through, the harder the password is to remember, and the dumber the password I pick (in the hopes of making it easier to remember).

    Please, leave me alone.

  • Blocking access after failed passwords just invites denial of service attacks. It seems like a bad idea for most situations.

  • Repeat after me.

    The problem IS NOT PASSWORDS. Fighting for "better passwords" is a never-ending, stupid, foolish waste of time.

    What is the point of a password? It is to prove who you are. Nothing more, nothing less. A password is not used as a key to look up information for a retailer, or blog, or anything else - that is keyed off your user name. All a password is is an identifier showing WHO YOU ARE.

    It is unrealistic to expect a human to remember dozens of complex passwords and change them monthly. It is

    • Because, of course, it is so much better to sell your users to some social network and let them control how you run your site or business?

      Webmasters do live in and manage their own universes, to the extent that they want to. What next, you're going to complain I have a door on my house or on my bathroom? Go away, you're creepy.

  • I went into my bank recently and got the hard sell about switching to internet banking.

    This is something I've resisted, but I was told it was "quite safe" and "millions of people do it".

    They had a so-called free cash-back offer on the debit card. I looked at the sign-up process and was told by the counter staff it needed a password of 6-8 characters - case insensitive and letters/numbers only.

    For some reason they were surprised when I informed them that this was incredibly weak password scheme and that I w

Save energy: Drive a smaller shell.

Working...