Feeds

back to article Top UK e-commerce sites fail to protect 'password' password-havers from selves

Top UK e-commerce sites are not doing enough to safeguard users from their own password-related foibles, according to a new study. A review of password security at the top 100 e-commerce sites found two in three (66 per cent) accept notoriously weak passwords such as “123456” or “password”, putting users in danger. The first …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

It's hardly the various sites fault.

Wonder what would happen if the morons/non techies (delete as applicable) can't use whichever password they have chosen for EVERYTHING on a site they will persevere? No, they will go else where.

If this happened to, for example, my mum she'd go elsewhere.

"I tried to sign up but just got errors/some message I didn't read in red letters so I signed up to $Competitor instead and they let me use "password1" just like facebook, my bank, amazon and tesco did"

If I was a techie working for (agian for EG) tesco and I pointed out that we suspect fully 33% of our userbase uses "password" or VERY close equivalent for their online account what do you think my boss would recommend? Force the issue upon next logon? Spend months emailing people advising them to change their password? A pop-up saying passwords must now meet X,y or Z standard?

They'd all be ignored. Totally. Try and force my mother to do this and they may as well send her a link advising her to shop online with Sainsbury instead, because that's what she'd do if she tried to sign up or log in and it wouldn't accept her "one password to rule them all" which is, incidentally, "password" and, in extreme circumstances, under much duress from her works IT dept "passw0rd1"

13
0
Silver badge

Security and ease of use are frequently polar opposites. Trying to persuade non-techie people that the good on-line practises of strong passwords, no password reuse, etc. are important is very hard.

I think the message is starting to get through to some people, but it'll be a never ending battle.

2
0
Silver badge

The only way to educate people like that is in the pocket. Don't reject the account, just popup a message (and send an email) saying "Your password is insufficiently secure, we will apply a £200 excess to any fradulent transactions made from your account". Just like insurance companies do, the higher the risk, the higher the excess. Then send them a reminder every month.

If they choose to ignore it, on their own head be it.

1
3
Silver badge

"I think the message is starting to get through to some people, but it'll be a never ending battle."

I think that for some people - probably a lot of people, sadly - the message will only get through when they've fallen victim to something as a result of weak security.

1
0
Silver badge
Unhappy

But...

then they'll blame "lax security at the website" instead of considering their own action (or lack of it).

I've seen this happen...

2
0
Silver badge

Re: But...

Sad, but true. :(

0
0
Silver badge

Re: But...

Simple, cheap partial solution

Instead of using the moniker 'password' we start using 'pass phrase'. In this modern day there is no reason to not accept mixed case, punctuation and spaces, but the concept of 'passWORD' excludes these in favour of something...well...word length and weak.

Also, the three tries at entering the passphrase then steadily extending the retry time will soon thwart bots.

0
0
Devil

security education

Ecommerce sites could do even more for security:

When someone creates an account on their site it should do some automated login attempts with the same password (Twitter, facebook, ...) and, if successful, automate a post to the dimwit's social network saying "I'm a security dimwit and my password is <qwerty>".

That'll teach'em.

6
1
Silver badge

Re: security education

I'm all for security education, but logging into people's other services (automatically or not) does sound a bit on the shady side of legal, although I do see the humour.

Seriously, it can't be that hard to teach someone who otherwise can write their own name, to use some kind of half acceptable password. I like Bruce Schneier's suggestion of writing it on a little piece of paper and putting it in your wallet - based on the fact that people are usually very good at keeping little pieces of paper in their wallet from getting lost or stolen.

5
0
Anonymous Coward

Re: security education

Cool idea, but likely illegal :-(

2
0
Anonymous Coward

Re: security education

"I like Bruce Schneier's suggestion of writing it on a little piece of paper and putting it in your wallet"

I once worked for a large multinational IT services company and saw advice from them suggesting a robust passphrase written on a post-it note and stored securely was preferable to a weak memorised one, on the basis that attacks were more likely to come over a network than from someone 'hacking' their drawers!

4
0
Silver badge

Re: security education

My password used to be "password", but after the security awareness campaigns I've changed it to "1StrongPassword".

2
0
Silver badge

Re: security education

" I like Bruce Schneier's suggestion of writing it on a little piece of paper and putting it in your wallet - based on the fact that people are usually very good at keeping little pieces of paper in their wallet from getting lost or stolen."

Well, until their wallet itself is lost or stolen, of course.

But seriously, I don't see how that can be considered a good idea in this day and age. The biggest problem is the limited amount of space on a little piece of paper kept in your wallet versus the number of passwords people are likely to have these days. If I did that, the result would be that I'd be scared to ever get my wallet out in public in case a ne'er-do-well sees it and thinks it's bulging because of all the money in it, rather than the ridiculous amount of pieces of paper with passwords on them, and mugs me at the first suitable opportunity.

Virtual pieces of paper in a virtual wallet, on the other hand, is another matter.

0
0
Silver badge

Re: security education

"The biggest problem is the limited amount of space on a little piece of paper kept in your wallet versus the number of passwords people are likely to have these days."

Then put down that felt pen and grab a pencil. Without half trying, I can put 12 very long passwords on one side of a 1.5"x2" posted note. That's 24 all together, and I would likely squeeze a couple down the side if I felt I needed more. And then there's the part about losing your wallet. In well over half a century of using a wallet for serious stuff, I've haven't lost it once. I don't think that is something most people need to worry about. Besides, a lost wallet is not likely to end up in the hands of someone who will see a piece of paper that isn't cash as having any interest. In fact I believe that most stolen wallets end up in the hands of street people, muggers, and generally computer uninterested people.

I wouldn't disagree that a virtual wallet is unsafe, but would argue that it is less safe than a piece of paper. That, because it is stored in a place where those who would be interested in it have potential remote access and will put a lot of effort into getting at. That cannot be said for a piece of paper in your wallet where one of the very few people who would attack you would have to do so in person at your current location.

0
0
Silver badge

Re: security education

"Then put down that felt pen and grab a pencil. Without half trying, I can put 12 very long passwords on one side of a 1.5"x2" posted note. That's 24 all together, and I would likely squeeze a couple down the side if I felt I needed more."

That's still not a lot, though. Perhaps you should put down that pencil, and use something that uses an 8x8 grid of atoms for each character of the password. Then the post-it note might be sufficiently large.

And unreadable by the human eye.

As for the point about most stolen wallets ending up with muggers, etc - that's sort of a fair point, except that if it became standard advice to store passwords on a piece of paper in your wallet, and it became commonplace to do that as a result, while most wallets may end up in the hands of people uninterested in that piece of paper, you can bet your life they'll know people who will pay them enough for their next fix in return for such pieces of paper.

0
0
Roo
Silver badge

Adding a DoS vuln doesn't help anyone.

"Hackers often run malicious software that can run thousands of passwords during log-ins to breach accounts, a tactic that a simple policy of locking out individuals after a given number of failed password entries would thwart."

Locking accounts on failed password attempts is a trivially exploitable DoS vulnerability. For example: It is rare that I can access my original Hotmail account because it seems to be the favourite target of a bunch of funts who attempt (and fail to) brute force the password faster than I can reset it.

If they were smart funts they would be following up those attacks with some spearfishing - with the bait being an offer to stop the account being locked repeatedly.

I'm sure folks have got better ideas, but as a starting point throttling the rate of login attempts can work very well - if it's implemented with a little care. ;)

1
0

The disadvantage of "locking out" users who enter many wrong passwords is that this can be used to deny them service.

2
1
Silver badge

Locking out does not "deny" service

There are many ways to do it, but locking someone out for 60 seconds is not a serious denial of service, and it makes it completely impractical to do a brute force attempt. Even locking them out for 10 seconds would do the trick. Give people three or five chances, then make them wait a minute.

4
0
Roo
Silver badge

Re: Locking out does not "deny" service

"There are many ways to do it, but locking someone out for 60 seconds is not a serious denial of service"

Sure, but suggestion in the article didn't specify a limited duration for the account locking.

I think we are disagreeing over what words to use to describe the same thing...

Often when folks say an account is "locked" they mean that it is marked unavailable at OS level until some helpful admin turns up and "unlocks" the account (seems to be the default mode of operation in MS shops). Typically authentication will still happen, so an attacker can continue to consume resources via the authentication process too...

By throttling the logins you are making brute forcing harder but you are also mitigating the resource consumption of authentication. In addition the account is still available, which is useful in cases where a service is accessed by internal and external clients. An attack from outside can slow down the external login rate to a crawl - but folks using the service internally won't be affected.

3
0

Re: Locking out does not "deny" service

> locking someone out for 60 seconds is not a serious denial of service

But you can extend it indefinitely by repeating the attack. So the genuine user might get a 1-second window when they can log in each minute.

1
0
Bronze badge

Re: Locking out does not "deny" service

In the days of big iron ICL's VME opsys had a simple and effective solution, simply have a two second delay before allowing the username/password combination to be retried the first time and doubling the delay for each subsequent retry from the same device (multiple people could use the same username). True back then it was a 'hard address' network but using an IP addy would work as well. Of course there were various ways of locking a device after x number of failed attempts and allowing it access again after say 30 minutes from locking it.

1
0
Anonymous Coward

Re: Locking out does not "deny" service

I think you'll find the attempts may well be coming from a lot of different IP addresses.

0
0
Def
Bronze badge

Re: Locking out does not "deny" service

I think you'll find the attempts may well be coming from a lot of different IP addresses.

I'm guessing that was the point. If a user logging on from one device mistypes their password, they'll be locked out for a few seconds the first time around. If someone is systematically trying to hack their account from a different device, each failed attempted will be locked out *on that device* for subsequently longer and longer periods. Thus the buttery-fingered user isn't locked out due to some doer of evil trying to brute force their account every minute.

0
0
Anonymous Coward

Re: Locking out does not "deny" service

The point is the miscreant will be brute forcing logins from lots of different IP's. They'll be coming from botnets of thousands of PCs.

0
0
Silver badge

Re: Locking out does not "deny" service

I think you'll find the attempts may well be coming from a lot of different IP addresses.

I had one IP address in Hungry trying for weeks to SSH into my servers. Even with fail2ban set to ban for 6 hours, the machine kept on coming back....

0
0
Anonymous Coward

Re: Locking out does not "deny" service

I had persistent attempts to log in using SSH on my Linux mailhosts using generic accounts, which whilst always unsuccessful were annoying. In the end I came up with the solution of moving the SSHd listening port from 22 (to something like 2022), along with the firewall rules of course. Problem solved!

0
0
Bronze badge

Re: Locking out does not "deny" service

Well I doubt there are many if any home banking or web shopping users likely to be using lots of different IP addresses in the space of a short time, so that in itself could be used to filter malicious attacks?

0
0
Silver badge

Two factor authentication ...

Any system relying on a single password will have this vulnerability. My bank, and employer use (different) 2 factor systems, which is as secure as you can get, and still be practical.

There's a market opportunity for a universal 2-factor solution. Amazon ? Google ?

0
0
Bronze badge
FAIL

Speaking of website logins

Could someone please speak to the many website developers who consider accents in names illegal? I have a number of European friends with accents in their names who have to drop them when registering with websites. Even the local Electoral Roll office's online registration form took exception to "é". And before anyone gets all UKIP there are plenty of UK-born people who have accents in their name.

Big big FAILS when people are forced to change their legal and valid names.

0
0
Silver badge

Re: Speaking of website logins

"Big big FAILS when people are forced to change their legal and valid names."

Indeed. I encountered a very similar problem last year when I decided it was time to check my credit files. Of the 'big three' reference agencies, I was unable to do so with one of them (using their online system) because apparently my middle name - just an initial, M - is invalid.

It's valid enough for things like my driving licence and my passport... but not for that company.

1
0
FAIL

Re: Speaking of website logins

"Could someone please speak to the many website developers who consider accents in names illegal?"

In the US it is illegal as any non-standard name must belong to a Terrorist.

0
1
Silver badge

Re: Speaking of website logins

"Even the local Electoral Roll office's online registration form took exception to "é"."

Is this not because of simplified code page support? Until all the broken clients that don't support UTF all die we're going to still see a lot of ISO-8859-1 and Windows-1252 which are fine, but have differences that cause problems. In any case, it certainly is rude when one can't use one's real name. I find the same thing on some forums because I have a space between my first and last name - which incidentally is quite common as well.

0
0
FAIL

Site fails

What annoys me the most is when a site won't let me use a more secure password.

In particular, a certain bank which will only accept alphanumeric characters in your password!

1
0
Silver badge

Re: Site fails

In particular, a certain bank which will only accept alphanumeric characters in your password

I found the Inland Revenue site a right PITA. It said my password didn't match their security requirements. After trying various permutations, I worked out that my password was too secure for their system and I had to use a weaker one.

0
0
Bronze badge

Perhaps if they just let you buy something and leave like most honest establishments

Without forcing you to sign up for an account and then be tricked into accepting a bombardment of marketing emails every hour then we'd all be a lot happier.

3
0
FAIL

StrawBadgersElephanttrunxStiltskinPotatoes

Damm, I just gave away my internet banking password

0
0
Bronze badge
Coffee/keyboard

Brute Force

Must be me but after 3 attempts I just reset my password as I obviously can't remember it.

0
0
Anonymous Coward

I use the password 'password'

Quite a lot actually, but never on sites that I put my CC details in to. Those get 'passw0rd', or if I'm feeling extra paranoid, 'p4ssw0rd'.

My root password is 'god'. Hi JLM!

0
0
Anonymous Coward

limiting passwords

I really get annoyed when the sites limit the password complexity. Verified by Visa is the worst - must be between 6 and 8 chars and have at least 1 uppercase and a letter. Why can't they just say "strong password" done. Any length any special characters (injection characters not obviously)...

0
0
Bronze badge

Re: limiting passwords

Verified by visa wasn't implemented to increase your security.

(If I kept going, the rest of this post would be functionally equivalent to booing in the direction of the Visa headquarters)

3
0

Lockouts?

Account lockouts are a bad thing, if you implement them then you open yourself up to malicious parties who will intentionally try to get all your users locked out - causing an absolute nightmare for support.

And account lockouts will be ineffective at stopping account compromises... As pointed out, lots of users have very common passwords like "password", so rather than try thousands of passwords against 1 account a hacker is going to try "password" against thousands of accounts and in doing so won't trigger any account lockouts because he only makes 1 attempt per account.

0
0

correct horse battery staple

2
0
Anonymous Coward

Clueless

My passwords are so complex I can't remember them.

I just use KeePass to login for me

(although I must admit it is a pain in the arse when trying to login with my phone as I have to type it manually)

0
0
Anonymous Coward

Re: Clueless

Get the KeePass app then.

1
0
Anonymous Coward

Passwords ... pffft

Next account passwords can be reset online using only a customer number a date of birth.

0
0
Bronze badge

Re: Passwords ... pffft

Lucky you can change your date of birth then if it's ever compromised.

I did have an idea a few years ago, of generating a fake 'profile' for myself (invented date and place of birth, mother's maiden name, dog's name, etc), which I could then use when creating online accounts. That way it would be harder for someone else to socially engineer these from others, and I could always change them if they got compromised. Of course for some official sites things like DoB would need to be genuine, but for others probably not. Never got around to putting it in to practice though.

1
0
JQW

Ah!

Back in late 1999 I did some work at the head office of a major high street name who were in the process of setting up their own E-commerce site.

The password for the main NT domain was just 'password'. To make things worse, there were posters everywhere highlighting their commitment to security.

0
0
Anonymous Coward

-Top UK e-commerce sites are not doing enough to safeguard users from their own password-related foibles, according to a new study.

And why should they?

Callous? Maybe. But I prefer to call it tough love. Or Darwin in action.

0
0
Anonymous Coward

NS&I is the worst

NS&I, the people we buy the premium bonds from, is probably the worst. Their system will only allow you to create a password of between 6 and 8 characters in length. They seem to think that the systems people have, have not progressed in the past 15 years.

0
0
Bronze badge

Password displayed in plain text?

It's not clear how that was scored... It used to be thought that it was important to hide the pasword. 5 or 10 years ago, it was suggested (and I agreed) that the user should be able to see the password entered, unless "hide" was deliberately selected.

On the other hand, it's clear that some banks demand a short alpha-numeric password just so that they can email your password back to you, using a 7-bit compatible mail message, to make sure you know it (which they wouldn't have to do if they displayed the text at entry). I

0
0

Page:

This topic is closed for new posts.