back to article Top UK e-commerce sites fail to protect 'password' password-havers from selves

Top UK e-commerce sites are not doing enough to safeguard users from their own password-related foibles, according to a new study. A review of password security at the top 100 e-commerce sites found two in three (66 per cent) accept notoriously weak passwords such as “123456” or “password”, putting users in danger. The first …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    It's hardly the various sites fault.

    Wonder what would happen if the morons/non techies (delete as applicable) can't use whichever password they have chosen for EVERYTHING on a site they will persevere? No, they will go else where.

    If this happened to, for example, my mum she'd go elsewhere.

    "I tried to sign up but just got errors/some message I didn't read in red letters so I signed up to $Competitor instead and they let me use "password1" just like facebook, my bank, amazon and tesco did"

    If I was a techie working for (agian for EG) tesco and I pointed out that we suspect fully 33% of our userbase uses "password" or VERY close equivalent for their online account what do you think my boss would recommend? Force the issue upon next logon? Spend months emailing people advising them to change their password? A pop-up saying passwords must now meet X,y or Z standard?

    They'd all be ignored. Totally. Try and force my mother to do this and they may as well send her a link advising her to shop online with Sainsbury instead, because that's what she'd do if she tried to sign up or log in and it wouldn't accept her "one password to rule them all" which is, incidentally, "password" and, in extreme circumstances, under much duress from her works IT dept "passw0rd1"

    1. A Non e-mouse Silver badge

      Security and ease of use are frequently polar opposites. Trying to persuade non-techie people that the good on-line practises of strong passwords, no password reuse, etc. are important is very hard.

      I think the message is starting to get through to some people, but it'll be a never ending battle.

      1. VinceH

        "I think the message is starting to get through to some people, but it'll be a never ending battle."

        I think that for some people - probably a lot of people, sadly - the message will only get through when they've fallen victim to something as a result of weak security.

        1. Ted Treen
          Unhappy

          But...

          then they'll blame "lax security at the website" instead of considering their own action (or lack of it).

          I've seen this happen...

          1. VinceH

            Re: But...

            Sad, but true. :(

            1. Cliff

              Re: But...

              Simple, cheap partial solution

              Instead of using the moniker 'password' we start using 'pass phrase'. In this modern day there is no reason to not accept mixed case, punctuation and spaces, but the concept of 'passWORD' excludes these in favour of something...well...word length and weak.

              Also, the three tries at entering the passphrase then steadily extending the retry time will soon thwart bots.

    2. Phil O'Sophical Silver badge

      The only way to educate people like that is in the pocket. Don't reject the account, just popup a message (and send an email) saying "Your password is insufficiently secure, we will apply a £200 excess to any fradulent transactions made from your account". Just like insurance companies do, the higher the risk, the higher the excess. Then send them a reminder every month.

      If they choose to ignore it, on their own head be it.

  2. Sebastian Brosig
    Devil

    security education

    Ecommerce sites could do even more for security:

    When someone creates an account on their site it should do some automated login attempts with the same password (Twitter, facebook, ...) and, if successful, automate a post to the dimwit's social network saying "I'm a security dimwit and my password is <qwerty>".

    That'll teach'em.

    1. Ole Juul

      Re: security education

      I'm all for security education, but logging into people's other services (automatically or not) does sound a bit on the shady side of legal, although I do see the humour.

      Seriously, it can't be that hard to teach someone who otherwise can write their own name, to use some kind of half acceptable password. I like Bruce Schneier's suggestion of writing it on a little piece of paper and putting it in your wallet - based on the fact that people are usually very good at keeping little pieces of paper in their wallet from getting lost or stolen.

      1. Anonymous Coward
        Anonymous Coward

        Re: security education

        "I like Bruce Schneier's suggestion of writing it on a little piece of paper and putting it in your wallet"

        I once worked for a large multinational IT services company and saw advice from them suggesting a robust passphrase written on a post-it note and stored securely was preferable to a weak memorised one, on the basis that attacks were more likely to come over a network than from someone 'hacking' their drawers!

        1. frank ly

          Re: security education

          My password used to be "password", but after the security awareness campaigns I've changed it to "1StrongPassword".

      2. VinceH

        Re: security education

        " I like Bruce Schneier's suggestion of writing it on a little piece of paper and putting it in your wallet - based on the fact that people are usually very good at keeping little pieces of paper in their wallet from getting lost or stolen."

        Well, until their wallet itself is lost or stolen, of course.

        But seriously, I don't see how that can be considered a good idea in this day and age. The biggest problem is the limited amount of space on a little piece of paper kept in your wallet versus the number of passwords people are likely to have these days. If I did that, the result would be that I'd be scared to ever get my wallet out in public in case a ne'er-do-well sees it and thinks it's bulging because of all the money in it, rather than the ridiculous amount of pieces of paper with passwords on them, and mugs me at the first suitable opportunity.

        Virtual pieces of paper in a virtual wallet, on the other hand, is another matter.

        1. Ole Juul

          Re: security education

          "The biggest problem is the limited amount of space on a little piece of paper kept in your wallet versus the number of passwords people are likely to have these days."

          Then put down that felt pen and grab a pencil. Without half trying, I can put 12 very long passwords on one side of a 1.5"x2" posted note. That's 24 all together, and I would likely squeeze a couple down the side if I felt I needed more. And then there's the part about losing your wallet. In well over half a century of using a wallet for serious stuff, I've haven't lost it once. I don't think that is something most people need to worry about. Besides, a lost wallet is not likely to end up in the hands of someone who will see a piece of paper that isn't cash as having any interest. In fact I believe that most stolen wallets end up in the hands of street people, muggers, and generally computer uninterested people.

          I wouldn't disagree that a virtual wallet is unsafe, but would argue that it is less safe than a piece of paper. That, because it is stored in a place where those who would be interested in it have potential remote access and will put a lot of effort into getting at. That cannot be said for a piece of paper in your wallet where one of the very few people who would attack you would have to do so in person at your current location.

          1. VinceH

            Re: security education

            "Then put down that felt pen and grab a pencil. Without half trying, I can put 12 very long passwords on one side of a 1.5"x2" posted note. That's 24 all together, and I would likely squeeze a couple down the side if I felt I needed more."

            That's still not a lot, though. Perhaps you should put down that pencil, and use something that uses an 8x8 grid of atoms for each character of the password. Then the post-it note might be sufficiently large.

            And unreadable by the human eye.

            As for the point about most stolen wallets ending up with muggers, etc - that's sort of a fair point, except that if it became standard advice to store passwords on a piece of paper in your wallet, and it became commonplace to do that as a result, while most wallets may end up in the hands of people uninterested in that piece of paper, you can bet your life they'll know people who will pay them enough for their next fix in return for such pieces of paper.

    2. Anonymous Coward
      Anonymous Coward

      Re: security education

      Cool idea, but likely illegal :-(

  3. Roo

    Adding a DoS vuln doesn't help anyone.

    "Hackers often run malicious software that can run thousands of passwords during log-ins to breach accounts, a tactic that a simple policy of locking out individuals after a given number of failed password entries would thwart."

    Locking accounts on failed password attempts is a trivially exploitable DoS vulnerability. For example: It is rare that I can access my original Hotmail account because it seems to be the favourite target of a bunch of funts who attempt (and fail to) brute force the password faster than I can reset it.

    If they were smart funts they would be following up those attacks with some spearfishing - with the bait being an offer to stop the account being locked repeatedly.

    I'm sure folks have got better ideas, but as a starting point throttling the rate of login attempts can work very well - if it's implemented with a little care. ;)

  4. Phil Endecott

    The disadvantage of "locking out" users who enter many wrong passwords is that this can be used to deny them service.

    1. Ole Juul

      Locking out does not "deny" service

      There are many ways to do it, but locking someone out for 60 seconds is not a serious denial of service, and it makes it completely impractical to do a brute force attempt. Even locking them out for 10 seconds would do the trick. Give people three or five chances, then make them wait a minute.

      1. Roo

        Re: Locking out does not "deny" service

        "There are many ways to do it, but locking someone out for 60 seconds is not a serious denial of service"

        Sure, but suggestion in the article didn't specify a limited duration for the account locking.

        I think we are disagreeing over what words to use to describe the same thing...

        Often when folks say an account is "locked" they mean that it is marked unavailable at OS level until some helpful admin turns up and "unlocks" the account (seems to be the default mode of operation in MS shops). Typically authentication will still happen, so an attacker can continue to consume resources via the authentication process too...

        By throttling the logins you are making brute forcing harder but you are also mitigating the resource consumption of authentication. In addition the account is still available, which is useful in cases where a service is accessed by internal and external clients. An attack from outside can slow down the external login rate to a crawl - but folks using the service internally won't be affected.

      2. Phil Endecott

        Re: Locking out does not "deny" service

        > locking someone out for 60 seconds is not a serious denial of service

        But you can extend it indefinitely by repeating the attack. So the genuine user might get a 1-second window when they can log in each minute.

      3. Scroticus Canis

        Re: Locking out does not "deny" service

        In the days of big iron ICL's VME opsys had a simple and effective solution, simply have a two second delay before allowing the username/password combination to be retried the first time and doubling the delay for each subsequent retry from the same device (multiple people could use the same username). True back then it was a 'hard address' network but using an IP addy would work as well. Of course there were various ways of locking a device after x number of failed attempts and allowing it access again after say 30 minutes from locking it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Locking out does not "deny" service

          I think you'll find the attempts may well be coming from a lot of different IP addresses.

          1. This post has been deleted by its author

            1. Anonymous Coward
              Anonymous Coward

              Re: Locking out does not "deny" service

              The point is the miscreant will be brute forcing logins from lots of different IP's. They'll be coming from botnets of thousands of PCs.

              1. NogginTheNog

                Re: Locking out does not "deny" service

                Well I doubt there are many if any home banking or web shopping users likely to be using lots of different IP addresses in the space of a short time, so that in itself could be used to filter malicious attacks?

          2. A Non e-mouse Silver badge

            Re: Locking out does not "deny" service

            I think you'll find the attempts may well be coming from a lot of different IP addresses.

            I had one IP address in Hungry trying for weeks to SSH into my servers. Even with fail2ban set to ban for 6 hours, the machine kept on coming back....

            1. Anonymous Coward
              Anonymous Coward

              Re: Locking out does not "deny" service

              I had persistent attempts to log in using SSH on my Linux mailhosts using generic accounts, which whilst always unsuccessful were annoying. In the end I came up with the solution of moving the SSHd listening port from 22 (to something like 2022), along with the firewall rules of course. Problem solved!

  5. JimmyPage Silver badge

    Two factor authentication ...

    Any system relying on a single password will have this vulnerability. My bank, and employer use (different) 2 factor systems, which is as secure as you can get, and still be practical.

    There's a market opportunity for a universal 2-factor solution. Amazon ? Google ?

  6. NogginTheNog
    FAIL

    Speaking of website logins

    Could someone please speak to the many website developers who consider accents in names illegal? I have a number of European friends with accents in their names who have to drop them when registering with websites. Even the local Electoral Roll office's online registration form took exception to "é". And before anyone gets all UKIP there are plenty of UK-born people who have accents in their name.

    Big big FAILS when people are forced to change their legal and valid names.

    1. VinceH

      Re: Speaking of website logins

      "Big big FAILS when people are forced to change their legal and valid names."

      Indeed. I encountered a very similar problem last year when I decided it was time to check my credit files. Of the 'big three' reference agencies, I was unable to do so with one of them (using their online system) because apparently my middle name - just an initial, M - is invalid.

      It's valid enough for things like my driving licence and my passport... but not for that company.

    2. Euripides Pants
      FAIL

      Re: Speaking of website logins

      "Could someone please speak to the many website developers who consider accents in names illegal?"

      In the US it is illegal as any non-standard name must belong to a Terrorist.

    3. Ole Juul

      Re: Speaking of website logins

      "Even the local Electoral Roll office's online registration form took exception to "é"."

      Is this not because of simplified code page support? Until all the broken clients that don't support UTF all die we're going to still see a lot of ISO-8859-1 and Windows-1252 which are fine, but have differences that cause problems. In any case, it certainly is rude when one can't use one's real name. I find the same thing on some forums because I have a space between my first and last name - which incidentally is quite common as well.

  7. Santa from Exeter
    FAIL

    Site fails

    What annoys me the most is when a site won't let me use a more secure password.

    In particular, a certain bank which will only accept alphanumeric characters in your password!

    1. A Non e-mouse Silver badge

      Re: Site fails

      In particular, a certain bank which will only accept alphanumeric characters in your password

      I found the Inland Revenue site a right PITA. It said my password didn't match their security requirements. After trying various permutations, I worked out that my password was too secure for their system and I had to use a weaker one.

  8. Anonymous Coward
    Anonymous Coward

    Perhaps if they just let you buy something and leave like most honest establishments

    Without forcing you to sign up for an account and then be tricked into accepting a bombardment of marketing emails every hour then we'd all be a lot happier.

  9. Pete the not so great
    FAIL

    StrawBadgersElephanttrunxStiltskinPotatoes

    Damm, I just gave away my internet banking password

  10. Captain Scarlet Silver badge
    Coffee/keyboard

    Brute Force

    Must be me but after 3 attempts I just reset my password as I obviously can't remember it.

  11. Anonymous Coward
    Anonymous Coward

    I use the password 'password'

    Quite a lot actually, but never on sites that I put my CC details in to. Those get 'passw0rd', or if I'm feeling extra paranoid, 'p4ssw0rd'.

    My root password is 'god'. Hi JLM!

  12. Anonymous Coward
    Anonymous Coward

    limiting passwords

    I really get annoyed when the sites limit the password complexity. Verified by Visa is the worst - must be between 6 and 8 chars and have at least 1 uppercase and a letter. Why can't they just say "strong password" done. Any length any special characters (injection characters not obviously)...

    1. teebie

      Re: limiting passwords

      Verified by visa wasn't implemented to increase your security.

      (If I kept going, the rest of this post would be functionally equivalent to booing in the direction of the Visa headquarters)

  13. Joe Montana

    Lockouts?

    Account lockouts are a bad thing, if you implement them then you open yourself up to malicious parties who will intentionally try to get all your users locked out - causing an absolute nightmare for support.

    And account lockouts will be ineffective at stopping account compromises... As pointed out, lots of users have very common passwords like "password", so rather than try thousands of passwords against 1 account a hacker is going to try "password" against thousands of accounts and in doing so won't trigger any account lockouts because he only makes 1 attempt per account.

  14. Lockwood

    correct horse battery staple

  15. Anonymous Coward
    Anonymous Coward

    Clueless

    My passwords are so complex I can't remember them.

    I just use KeePass to login for me

    (although I must admit it is a pain in the arse when trying to login with my phone as I have to type it manually)

    1. Anonymous Coward
      Anonymous Coward

      Re: Clueless

      Get the KeePass app then.

  16. Anonymous Coward
    Anonymous Coward

    Passwords ... pffft

    Next account passwords can be reset online using only a customer number a date of birth.

    1. NogginTheNog

      Re: Passwords ... pffft

      Lucky you can change your date of birth then if it's ever compromised.

      I did have an idea a few years ago, of generating a fake 'profile' for myself (invented date and place of birth, mother's maiden name, dog's name, etc), which I could then use when creating online accounts. That way it would be harder for someone else to socially engineer these from others, and I could always change them if they got compromised. Of course for some official sites things like DoB would need to be genuine, but for others probably not. Never got around to putting it in to practice though.

  17. JQW

    Ah!

    Back in late 1999 I did some work at the head office of a major high street name who were in the process of setting up their own E-commerce site.

    The password for the main NT domain was just 'password'. To make things worse, there were posters everywhere highlighting their commitment to security.

  18. Anonymous Coward
    Anonymous Coward

    -Top UK e-commerce sites are not doing enough to safeguard users from their own password-related foibles, according to a new study.

    And why should they?

    Callous? Maybe. But I prefer to call it tough love. Or Darwin in action.

  19. Anonymous Coward
    Anonymous Coward

    NS&I is the worst

    NS&I, the people we buy the premium bonds from, is probably the worst. Their system will only allow you to create a password of between 6 and 8 characters in length. They seem to think that the systems people have, have not progressed in the past 15 years.

  20. david 12 Silver badge

    Password displayed in plain text?

    It's not clear how that was scored... It used to be thought that it was important to hide the pasword. 5 or 10 years ago, it was suggested (and I agreed) that the user should be able to see the password entered, unless "hide" was deliberately selected.

    On the other hand, it's clear that some banks demand a short alpha-numeric password just so that they can email your password back to you, using a 7-bit compatible mail message, to make sure you know it (which they wouldn't have to do if they displayed the text at entry). I

  21. Zmodem

    not blocking failed attempts is`nt a massive cry, anyone with a brute force app will just change proxy from a free proxy list of 1000s of 0day proxies and open proxies

    botnets can be 1000s of shadow proxies acting like a trojan, etc

  22. Anonymous Coward
    Anonymous Coward

    Don't you remember a bank case...?

    The client used a password at his bank similar to "This bank's employees are a bunch of *kers" or something to that effect. He forgot his password, and the personnel changed his password to "we are not *kers". Remember, banking security. Even Windows admin's passwords do better.

    A friend of mine uses something similar to "2000 ARS*** run this company!!!", and when asked to change, "2001 ARSE..." you get the picture.

    It is ungodly long, easy to remember, hard to crack, has capitals, numbers and extended characters.

  23. Number6

    Times have changed. I remember cursing my bank because it wouldn't let me use a password containing digits and insisted on A-Z only. Now I curse the sites that insist on adding punctuation to my alphanumeric passwords. Once upon a time passwords were limited to 8 or 16 characters, depending on the system, too.

    At a former employer, I once logged into the system and was informed that it was time to change my password Right Now. It would reject dictionary words, but it was clearly using a very polite directory because it accepted 'bollocks' as a password.

    I would also refer people to https://xkcd.com/936/ for comments on password security.

This topic is closed for new posts.

Other stories you might like