In the final instalment of our password policy blogs, we have compiled our recommendations for applying password policies to retail sites. This is backed by the research we have previously undertaken on the top 30 retail sites in the UK and the US.
We focused on five factors for measuring password policies:
- How many characters should a password have?
- What is the best password character mix? (numbers, symbols or letters)
- Passwords should be unique to every site?
- Should sites apply account locking methods?
- Do retail sites offer password advice?
Password character limits & mix
On the sites we analyzed, there was plenty of different password lengths and character requirements. Having lots of options for different websites can be overwhelming for consumers – this increases the likelihood of struggle.
We recommend a minimum of eight letters to create a secure password. A lengthy password can often be more secure, as a single short word is easier for someone to guess. Adding characters can help visitors create a secure password.
Password uniqueness & management
Having a unique password for each site is more secure than sharing the same password for all. If a website was to be hacked and a password is used across all sites, those login details become vulnerable.
From our research, less than half of UK websites advise their customers that the password they create should be unique and in the US this was lower than a fifth. We recommend that retail sites advise visitors to use a unique password to help account security.
Having many passwords is likely to be difficult for consumers to remember. However, recommending the use of a password management system can help. Password management systems allow storage of different passwords for different sites and can be unlocked by a master password.
Less than 50% of sites analyzed used account locking practices, less than 10% of these locked visitor accounts without notice.
Ecommerce sites should consider extra levels of security, such as ‘account locks’ when a visitor has incorrectly inputted their password several times.
Account locking works best when visitors are warned that after so many attempts their account will be locked and upon locking a verification email will be sent. The user can then verify the login attempts – much like we see on social sites.
Providing password advice
When reviewing password policies across retail sites, less than half offered visitor’s advice on online security.
Advising visitors of password and online security is beneficial to both consumers and retailers. Although, it’s unlikely that all would engage with this content, having it could help those unsure of signing up. This, therefore, increases an individual’s likeliness of purchasing. Information such as good vs bad password examples and general online security tips would be valuable to visitors. The more secure the password, the less chance of an account being hacked.
In light of industry research, both e-commerce sites and consumers should follow the same advice to maximize security:
- Focus on password length rather than character restrictions – a longer password is harder to guess
- Passwords need to be unique across different sites – use a password manager
- Tread carefully with account locks – send email verifications to the account owner
- Password advice should always be available to the consumer
Importantly, password policies recommendations change frequently, guidelines should continuously be reviewed and kept up to date.
If you would like to read more of our password policy findings, head to our blog page to find the series here.