back to article Many UK ecommerce sites allow ‘password’ for logins – report

Many of the UK’s most popular ecommerce sites have unsafe password practices, according to a new study, with four in five not requiring the use of a capital letter and a number/symbol. Also, 16 per cent of sites accept the ten most common passwords, including “password”, according to security management outfit Dashlane. This …

  1. A K Stiles
    Coat

    Obligatory

    CorrectHorseBatteryStaple.

    Mine's the one with the advance copy of "Thing Explainer" in the pocket.

    1. This post has been deleted by its author

      1. TechnicalBen Silver badge
        Trollface

        Re: Obligatory aka incorrecthorsebatterystaple

        Ok. So how do I use such a password manager on an iPad? More importantly, how do I get the user to remember it? Remember, iTunes requires a capital letter and a number.

        So a lot of passwords becomes their name and date of birth.

        I try to keep to 1 or two types of password. A lot of companies require slightly different requirements (one must be over 8 digits, one must be under), which gives me loads of variations and defeats the purpose.

        I'm not sure I trust a password manager, though it would be really helpful. Is it cross compatible?

        Finally, after all that I tend to just give up and click the "recover password" whenever I actually need to enter a password again. ;)

        1. This post has been deleted by its author

          1. John Tserkezis

            Re: Obligatory aka incorrecthorsebatterystaple

            "@Ben. You google for ipad password manager ?"

            They've obviously never heard of google. It's not an Apple product.

      2. NotBob
        Thumb Down

        Re: Obligatory aka incorrecthorsebatterystaple

        I may not trust my mind that much (getting old and all), but i trust myself more than my computer or a password manager on it...

        1. John Tserkezis

          Re: Obligatory aka incorrecthorsebatterystaple

          "but i trust myself more than my computer"

          That's only because you understand your head better than you understand your computer. There's nothing wrong with that, we all can't be experts in any given field.

          I on the other hand trust my computer, because I read about the individual products, understand the larger base and what the ramifications are for security.

          My head on the other hand, is a complete mystery.

      3. brotherelf
        Trollface

        Re: Obligatory aka incorrecthorsebatterystaple

        I have to say I stopped taking that article seriously at what could be rephrased as "we should stop using entropy and instead check how common the password is".

        That being said, cross-platform cloud-safe password managers come in stacks of 50 for a quid, in your choice of yellow or pink.

      4. John Tserkezis

        Re: Obligatory aka incorrecthorsebatterystaple

        "The fact is that the number of passwords you should memorize is pretty small"

        I'm not sure why you have so many downvotes, I agree with you. In fact, I think I only have two, maybe three passwords kept in mind, all the others are created with PWGen, with whatever length or character combinations I get get away with.

        What it might be, is people balk at referencing a password archive each and every time you want to use it - or worse still, recycle passwords.

        One thing they forget, this isn't 1986 anymore. Today, no-one, including the websites that are supposed to protect your data, gives a flying crap about you. If it's possible, less so the ones that actively try to crack it all.

        I'm still stunned at the reaction when I say my banking pin number is 12 digits thats changed on a regular basis, and not the same static 4 digits they set up the account 15 years ago. It's apparently more important they get money out of the wall, than the minor risk that someone else does it for them.

    2. cbars

      Re: Obligatory

      I think we (in IT) are pushing the wrong solution. I've opted for a completely predictable (but relatively hard to guess) password pattern (which does change, but only slightly), but change my email address for every site - then forward them all to my 'real' email address. You rarely need to know the login, and can look it up - or store it in your browser cache with impunity.

      That way, one site getting popped means sweet FA (depending on the site). No automated script is going to guess which random(ish) email you used for the other sites you use.

      As long as the websites use rate limiting, you're pretty much good for most situations.

      TLA's? That's another game.

      1. Anonymous Coward
        Anonymous Coward

        Re: Obligatory

        The correct solution is single sign on with no passwords necessary at all to connect to individual resources/sites. Its technically possible, safe and easy to implement.

        Problem is it takes someone with authority to set a standard. Thats not happening by itself on the net since it became commercialised and gov is completely incompetent when it comes to anything technical.

        Like many things we should be just getting on with stuff like IPv6 or HTTPS/2 but there is noone to push it through.

  2. CanadianMacFan

    Not allowing special characters

    I hate the sites that don't allow you to put in special characters (*$#><) in your password. Especially the ones that don't tell you until after you have submitted the form and come back with an error. Is it really that hard to tell the user what you expect the password to contain?

    I've got a password manager on my phone (that doesn't sync to the Internet) and use it to create long, unique passwords for every site I have an account. Why can't you support something other than a _ or a - in your password?

    1. Anonymous Coward
      Stop

      Re: Not allowing special characters

      I hate ones that insist on one....and even worse ones that insist on one so long as its not ,./\£$ etc.

      Minimum is the key.

      Password1! = Strong

      efbvjiefvguierhvuierhuivheruiovjjinpwfiodljeiohjgvnojefkonmvgkonmrbkomrkomboeorvier = Weak.

  3. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: On the other hand.

      Does it really matter if someone logs into my Wickes account?

      If you do a little research you'll be surprised by what you can do with a little bit of information. It might not apply to you, but if they can hack Wickes through brute force attacks, and associate your email address with that password, they can probably get your account details which gives them a name, address and email account (plus past orders). Then they can try every other insecure web site using your email address and that password (because you may not,but many people reuse). Knowing order history and details make you more vulnerable to phishing attacks, and makes (eg) your card provider at greater risk of impersonation fraud, etc etc.

      What really horrified me was that 40% of UK retail web sites don't protect against brute force attacks. Are their IT people totally incompetent, or are they totally incompetent?

      1. This post has been deleted by its author

        1. Zog_but_not_the_first Silver badge

          Re: On the other hand.

          I too am annoyed by failure-to-paste but I'm at a loss on what to do with the linked code. Do I edit the web page, run it as a script (how?). Just asking...

          1. VinceH

            Re: On the other hand.

            "I too am annoyed by failure-to-paste but I'm at a loss on what to do with the linked code. Do I edit the web page, run it as a script (how?)."

            According to the instructions, you need to bookmark the "allow pwpaste" link (which here - Firefox - stores the Javascript itself as the bookmark) and click on that bookmark whenever you're on a page that prevents pasting into the password field.

            Looking at the Javascript itself, what it does is identify all the input form elements on the current page and looks for any that are of type 'password'. If it finds any (on a log-in screen there would normally be one) then if there's an 'onpaste' attribute, it's removed - thereby enabling pasting into the password field.

            Quite a neat solution (speaking as someone who doesn't really use Javascript so is far from an expert and doesn't know if there's a better way).

      2. Tony S

        Re: On the other hand.

        "What really horrified me was that 40% of UK retail web sites don't protect against brute force attacks. Are their IT people totally incompetent, or are they totally incompetent?"

        A fair question.

        I've not been involved in the development of our website; it's been handled by Marketing. They've outsourced the work to a firm of Design specialists. In turn, I think that they have only done the image creation, selected fonts, colours etc. and the actual code work was sent to an Asian sweat shop.

        I queried certain aspects (including password policy) and received a rather sniffy answer from the Marketing Manager (who had clearly not given this a nano second's thought). This has resulted in a lengthy email exchange about security and setting appropriate policies. It should be highlighted that the MM has started to get a bit - shall we say - testy. He believes that my views are a touch old fashioned and that we need to have a more modern approach to the work.

        However, we currently have an external firm of auditors checking over Finance; and I've been told that the next stage will be a technical audit of IT. I have the email exchange printed out ready (and I have a copy on my personal laptop). We will see, what we will see.

        1. Anonymous Coward
          Anonymous Coward

          Re: On the other hand.

          Quote

          Asian sweat shop.

          That really means that all the hidden backdoors have already been sold on to a number of criminal gangs.

          Time for a major security re-design methinks?

          Have you even stress tested what those sweat shops delivered?

          The words 'get what you pay for' seems to come to mind...

          I was a web developer once upon a time but I found a better job, pulling pints.

        2. Aqua Marina

          Re: On the other hand.

          Been in this situation before, and someone above me decided that they would attend the KPMG IT audit, without letting me know, until after the auditors had been in. Said person simply lied throughout it.

          I suspect that you are in the UK, so instead of staying silent, send an email to said manager, and CC several other directors too, asking direct questions, while pointing out the current legislation, basically pointing out that he can be held criminally responsible for any data leaks that occur as a result if he ignores your advice. And make copies. At that point either suddenly you will be handed responsibility, or you will be fired (hence having the copies ready for the unfair dismissal tribunal).

          1. Doctor Syntax Silver badge

            Re: On the other hand.

            "Been in this situation before, and someone above me decided that they would attend the KPMG IT audit, without letting me know, until after the auditors had been in. Said person simply lied throughout it."

            What sort of auditor would simply see one person instead of insisting on checking with a number of other members of staff? (Answers on a postcard)

  4. chivo243 Silver badge
    Holmes

    It goes both ways

    I have had to register on sites that 8 characters is the limit!

    And

    As far as passwords go, I think we have been taught improperly?? I once had a user who didn't know his password, but knew the seemingly random pattern on the keyboard, it was at least 20 characters long with numbers. He said his father had taught him that trick.

    1. TechnicalBen Silver badge
      Happy

      Re: It goes both ways

      I still do this with pins. If I ever get held up and asked "all your money and your pin number to your card!" I'll have to wave a strange shape in the air at them.

      1. Paul Kinsler

        Re: " I'll have to wave a strange shape in the air at them.

        while intoning : "these are not the cards you are looking for"?

    2. ciaran
      Thumb Down

      Re: Keybord passwords

      I do that in work, since Active Directory insists that a password goes stale after a few months. Unfortunately my office keyboard and my mobile device keyboard don't have the same layout - it can be difficult logging back into my work email to get me hotel reservation number on the rare occasions I have to travel....

  5. Stephen Booth

    not the right recommendation

    "with four in five not requiring the use of a capital letter and a number/symbol."

    The thing that is important is entropy. Requiring particular characters does not help with this much it is a stupid hang over from the days when only the first handful of chars in a unix password were significant so using the full character set was a good idea.

    If you enforce special chars all you get is "password!" instead of "password" same with all the other hard to obey password rules everyone uses one of a small number of common fixes to bypass the rule.

    Probably the most important rule to enforce is the minimum legal length of a password.

    1. Paul Crawford Silver badge

      Re: not the right recommendation

      "The thing that is important is entropy"

      The things that are important are entropy and rate limiting on brute forces trials.

      High entropy means more attempts on average to guess it, rate limiting stops them from doing it quickly. However to most likely password cracking scenario is when they have already compromised a web site and can brute-force the database.

  6. Spudley

    I'm not worried about the password length or character-type restrictions. Frankly, people will put stupid passwords into even the most restrictive password field.

    What keeps me up at night is how many of them are using poor quality password hashing behind the scenes (or even if they're not hashing the passwords at all).

    The kind of stuff Troy Hunt was talking about in this article - http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html.

  7. Old Handle

    I'm not convinced these restrictions are always a good thing. I'd prefer they let me decide what level of security I need on that site, and how best to achieve it, for myself. If you want show a "strength meter" that's fine.

    Disallowing really common passwords isn't too bad an idea, but other than that and maybe a minimum length, I wish they would leave us alone.

    1. a_yank_lurker Silver badge

      @Old Handle - While some sites have very limited personal information others do have financial details. Shopping sites should insist on strong passwords to protect their customers from themselves.

  8. BobRocket

    Account Fetish hurts online retailers

    I hate sites that make me create an account before they will allow me to grace them with my money.

    Brick and mortar outlets don't do it, mostly they don't care who I am or what my inside leg measurement is, they just want to make a sale.

    I rarely buy from the same online store more than once, I don't want or need a relationship with my onetime supplier of chicken wire.

    Every place I enter all my details is another vector for ID theft, it wouldn't be so bad if they only kept the details (offline) for the duration of the sale (ie credit card transaction details), but no, they want to keep all my details handily accessible so that they can spam me and provide rich pickings for hackers.

    I would buy (repeatedly) from suppliers who state they don't keep any ID information online and only store offline legally required information.

    1. Anonymous Coward
      Anonymous Coward

      Re: Account Fetish hurts online retailers

      I perceive compulsory account login at the entrance to any non-private site, especially retail ones, as site suicide. I don't care what kind of site it is, if I can't browse enough of it without a login, even in subscription or social media sites, they all go on my site blacklist, so I never see this annoyance again. If I really need to get in, I will enter fake information until I need to use genuine details.

    2. cbars

      Re: Account Fetish hurts online retailers

      Online retailers are the worst for this! But Hotels are worse!

      Why do you need my email address? I'm paying you!

      My details at any hotel I stay in are:

      test

      test

      10 Downing Street

      London

      SW1A 2AA

      test@test.com

      Feel free to phish me :)

      (That worst > worse thing. Yea, that's irony)

      1. Doctor Syntax Silver badge

        Re: Account Fetish hurts online retailers

        @cbars

        Suitable alternatives are

        You

        Dont

        Need

        This

        and for an email address chairman@domain of company

        Even better if you can get a direct email address of someone in the marketing dept.

        For situations where a real email address may be needed for the transaction I generate a temporary email address every month or so & close it down when the transactions are complete so their spam will bounce.

        I offer the following free of charge to anyone looking for a business idea. A service which will provide an email address forwarded to a real address for a preset time but will thereafter bounce further mails with a very pointed message explaining why it's been bounced. Or alternatively forward them cc: (not bcc:) to the reply to addresses of several other such mails. Let the spammers spam each other.

        1. Anonymous Coward
          Anonymous Coward

          Re: Bricks and mortar...

          Your not shopping at all the same shops then. Lots love their data, and will ask if they think you'll give it.

          1. BobRocket

            Re: Account Fetish hurts online retailers - Re: Bricks and mortar...

            'and will ask if they think you'll give it.'

            Lots will ask (clubcard,nectar,match+more etc.) but they don't make it a condition of sale, if they did then they would get fake data the first (and last) time I shopped with them.

            The increasing frequency of data breaches means the backlash against arbitrary data retension will happen on an increasing scale.

            If you can prove the data you hold is secure then you have nothing to worry about.

            The only secure way to hold the data is not to collect it in the first place.

            You do not need individually identifiable data to be able to see that 30% of people who buy 2 tins or more of beans also buy 4 pack or larger bog rolls in the same basket.

            The only reason you need to identify an individual shopper is so that you can target that particular shopper with dynamic pricing (ie. C1/B gets charged more than A/D, status pricing rather than surge pricing).

  9. Neil Barnes Silver badge

    Exactly, Bob: I have lost count of the number of places that require an account to be set up before letting you see a pricelist, or something important like the delivery options and prices. The vast majority of those places never saw my money...

    There is exactly *no* reason to require an account to purchase goods online, any more than there is to buy bananas at Tesco's. Sure, they need to know your delivery address, your name, and your bank details - but they *need* them only as long as it takes to process the order. What they *don't* need, and I don't want, is a 'relationship' which allows them to spam me forever and a day.

    Each transaction is individual, and should remain so, the same as it is on the high street. And just like the high street, if I like the service, I'm inclined to come back; if I don't, I won't.

  10. Anonymous Coward
    Anonymous Coward

    Foolish user behaviour allowed by poor auth. support

    Anything requiring a password should show a password strength indicator and where feasible reject any dictionary or other easy to attack passwords.

    It would be helpful if there were scoring matrices of multiple OSS and commercial authentication web services and authentication libraries for common server side web frameworks, to make this easy to get right, including password strength checking, but I can't find any so far. The lack of these lists is crazy because roll your own user auth. is so very easy to make insecure and hard to fix later, even if you /really/ know enough cryptography.

  11. Richard Parkin

    Allow entry of long password but secretly truncate

    The worst experience I have had was a site that allowed me to enter a long password but then ignored any characters beyond 11 without informing me. Troy Hunt has cited some examples of this too.

  12. Graham Marsden
    Facepalm

    "some consumer-focused sites do get it right on password security"

    And some, mentioning no names *cough* UPS *cough* require an upper case letter, a lower case letter, a number and a special character *and* require it must be between 8 and 15 characters.

    Why the hell do they need a 15 character maximum? The days of limited storage space are long gone, so if I want to use a password of "Somewhereovertherainbowwayuphigh!1" why should I not be allowed to do so because they're using an obsolete password model?

    1. Anonymous Coward
      Anonymous Coward

      Re: "some consumer-focused sites do get it right on password security"

      It also makes it appear as if they are storing the passwords themselves rather than a hash and so you shouldn't trust them with your data.

    2. a_yank_lurker Silver badge

      Re: "some consumer-focused sites do get it right on password security"

      My guess is the database field has a maximum of 15 characters for a password.

      1. Lee Mulcahy

        Re: "some consumer-focused sites do get it right on password security"

        Then they should be shot -- The password itself should not be stored, just the hash or whatever it is they use these days.

  13. Joe Montana

    How are they used?

    Sites which implement a complex password policy are usually acting too self important, and irritating their users...

    If you guess my password for wickes or whatever online retailer then so what? You can see my previous orders, you can't even place a new order. Why would i go to the effort of using a strong password for such a site?

    Plus you have no idea how such a site stores your password, it might not be stored securely and could easily be leaked.

    I always used to use a stupid and easily remembered (but probably not easy to guess) password for such sites where i didn't really care, only now that some have password policies i can no longer use it everywhere and now i have different ones which i continuously forget.

  14. harmjschoonhoven
    Coat

    Like

    Clemenceau's maxim War is too important to leave to the generals, passwords are too important to leave to the users.

    Mine is the one with the passwordgenerator in the pocket.

  15. Martin-73 Silver badge

    I am probably going to be downvoted...but

    I don't like ANY restrictions. If I want to use 12345 for my password, it's my lookout. If I want to use a weird conglomeration of accented characters, digits, arabic, and the blood of a virgin unicorn, that is my lookout too.

    Reducing the possible number of passwords is a poor idea. Yes, in cases where large numbers of characters are possible, it's not a major issue, but the whole concept is flawed. I know of banks that allow repeating digits in PINs... that wipes out a significant amount of the possible values. And makes the bad guy's job EASIER

    1. Lee Mulcahy

      Re: I am probably going to be downvoted...but

      I was going to add a similar comment. If I want to be stupid, it should be on me. If someone uses a password that is simple, such as "password" then the institution should not be liable for any hacking of that account.

      1. Simone

        Re: I am probably going to be downvoted...but

        Except... if I am trying to hack a site that needs a password, and I don't know one, I can only access a number of pages. If I now know a stupid users account and password, I have a new batch of pages that I can attack. Are you assuming that these pages have been properly security tested and that this does not matter?

  16. Anonymous Coward
    Anonymous Coward

    Sites really don't do anything to help with password security.

    Instead of being like "Well, your password is really weak, but okay..." they should be going "Well, actually, your password is really weak so we won't allow you to register until that strength meter below hits strong."

    Also, secret questions could be improved on. Family names and pets are way too easy to guess. They should opt with harder things like "If you got stuck back in time in the Middle Ages what would you invent?"

  17. Ian Nominate

    Mixed messages on security?

    So John Lewis impose strong password checking but still use what The Register refer to as out-dated, shoddy SHA-1 certificates at its so-called secure checkout. Google Chrome warns users about deprecated SHA-1 algorithm and obsolete TLS 1.2 cipher suite. Obviously their support line couldn't understand their customer's concerns when called leaving some customers confused where the padlock had disappeared to. Black Friday indeed.

  18. KillthePassword

    Unfortunately this entire thread is populated by tech savvy people who have a daily and perhaps hourly and more frequent relationship with their keyboard and screen.

    The issue of username and password is not really about those of us in the tech world and who have a minute by minute interface with all sorts of resources and assets. The issue of security is compromised amongst the majority of non-tech savvy users who see Security as a pain in the backside. Our duty therefore is to create a schema which works for their ( and our) better "user experience" but which overall solves the problem of "how do we keep the bad guys out ?" Yet the answer must accommodate Martin-73 above who clearly doesn't care and why should he !

    Therefore we need to eliminate the username / password model and implement an identity certification capability which is easier to use, easy to implement and ....is more secure.

    Believe it or not, worked out in the correct manner, observing some of the commentary in David Birch's book "Identity is the New Money" we can put in place a secure access model which everyone can use and everyone will benefit from. But it must happen fast. R

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019