In our blog posts, we’ve regularly shared our thoughts on the issues and impact to customer experience and website conversion caused by login and password functionality on websites.
As a follow-up to those articles, we wanted to look more closely at what password policies the most popular retail websites adopt to see if they followed a common approach or not.
With that in mind, we asked Elin Hobeck, one of SessionCam’s finest Insight Consultants, to investigate further. In the first of a set of four new blogs, Elin shares her research into password policies across retail websites in the UK and US.
To start, we analysed the top 30 UK retail sites, based on online performance (Summit, 2018). We looked closely at each of these websites to understand what their current password requirements are and if they offer any recommendations to visitors about password efficiencies.
During our analysis, we measured each of these sites on five different criteria
- How many characters a password requires?
- Do they specify a mixture of characters/numbers/symbols?
- Do they offer any password advice on their site?
- Do they advise on unique passwords?
- Are accounts locked after multiple failed login attempts?
Of the sites analysed, we investigated whether they had minimum requirements for password length. We’ve defined a minimum character limit as 8. Passwords which are longer in length (8 plus) are generally more secure than shorter passwords. It is harder for hackers to guess longer, more complex passwords.
70% of the top 30 UK retail websites specified a minimum of 8 or more characters, our suggested minimum length for security. Only 23% required passwords less than 8 characters with 6% of sites offering visitors no guidance on password length at all.
In addition to password length, ensuring a mix of characters, numbers, uppercase, lowercase and symbols can again increase the strength of a password.
A fifth of all sites analysed offered no advice for visitors here, leaving it up to the consumer to judge how secure their password is.
67% of websites asked for a combination of numbers, letter cases and symbols. We did see one anomaly where a site specifically said ‘no special characters’, which could potentially cause struggle for visitors as they get used to adding special characters on most other websites.
On one site, the only password detail given to customers was to ensure their password was, ‘long’, this in itself is ambiguous, the definition of ‘long’ will vary for many.
Further password advice
We define ‘further password advice’ as sites who offered visitors a paragraph of text or recommendations for best password practice within their site – often found in and around privacy information or help areas.
56% of sites did not offer further clarity, the 44% who did could in turn be providing more confidence to their customers by detailing information about password best practices. John Lewis provide an excellent example of how best to do this:
Unique passwords & password management systems
An arguably ‘golden rule’ for account passwords is to ensure that each password for each site is different – therefore if one account is hacked, the others are not compromised.
Out of the sites we analysed, less than half (40%) advised that a unique password should be used. Advising customers that a unique password should be used is beneficial for both the site and the visitor, helping to ensure the security of the accounts.
Of those sites who did recommend creating a unique password, 33% suggested to visitors to use a password management system in order to securely store their unique password.
Utilizing a password manager allows visitors to use unique passwords across multiple sites, without the worry of forgetting their details. You can read more on the National Cyber Security Centre’s view of Password Managers here.
When exploring these websites, 36% applied ‘account locking’ when visitors entered their account details incorrectly; usually more than once. 3 sites would lock a visitors account without warning, which in turn is likely to increase visitor struggle and frustration, and potentially conversion.
Account locking can work best when visitors are warned that after so many attempts that their account will be locked and on locking a verification email is sent to the account holder – this way the actual user can confirm the login attempts.
In my next blog, I will be looking at the top US retail sites and sharing their common password policies. From which, we’ll present a comparison of the UK and US markets before providing our summary recommendations on password policy best practice.