Elin Hobeck is part of SessionCam’s Insight Consultancy team and works closely with our customers to help them identify website optimizations and improvements.
As part of this role, Elin has been researching password policies in the retail sector.
Last month, we published the first of four new blogs authored by Elin that shared research on password policies adopted by UK retailers.
This is the next blog in this series. This time, we have investigated the top 30 retail sites in the US (Stores, 2019).
We have researched these sites to understand what password policies are applied and how the sites assist visitors with password security advice.
We have measured the sites on 5 different policy factors:
- How many characters a password requires?
- Do they specify a mixture of characters/numbers/symbols?
- Do they offer any password advice on their site?
- Do they advise on unique passwords?
- Are accounts locked after multiple failed login attempts?
We have measured these factors to see if password policies are consistent across sites, as well as highlighting if there are any anomalies.
Password character limits & specifics
As we qualified in the previous blog, we defined the minimum password requirement for sites to be 8 characters. We suggested that passwords longer than 8 were likely to be more secure and therefore more difficult for hackers to guess.
From the US sites analysed, 76.6% of password policies required 8 or more characters, our recommended minimum for security. The remaining 20% then accepted fewer than 8 characters and only one site gave no character based specification.
We also analysed whether sites asked for character specifics within the password policies – for example, a requirement for a mix of numbers, letters and symbols.
The majority of sites (60%) advised visitors to use a mixture of letters, numbers and symbols.
We found that two sites specified that a combination approach could be used, but no spaces were allowed.
We found that 16% of sites offered no advice to visitors at all, allowing visitors to judge for themselves how secure (or not) their password needs to be.
In addition, two of the larger sites we analysed (both ‘big-box’ stores), specified to visitors that they should not use ‘<’ or ‘>’ symbols. It was unclear why those particular symbols were not permitted.
Further password advice offered?
Our definition for further password advice remained the same as our UK site analysis, ‘sites who offered visitors a paragraph of text or recommendations for best password practice within their site’ – often found in around privacy information or help area.
From our sample, 80% of sites did not offer visitors any extra help for setting up passwords, again leaving the guess work up to visitors.
16% of sites did offer further password advice, again increasing visitor site confidence.
(Password advice from Walmart, 2019)
Unique passwords & suggesting password management systems
We also analysed all the sites to ascertain whether they recommended that passwords used should be unique.
As mentioned in the UK password policy blog, having unique passwords for every site, reduces overall account vulnerability.
Of the sites analysed, only 16% advised visitors that their passwords should be unique, with all other sites offering no recommendations.
None of the sites from the US sample group suggested the use of password managers to their visitors.
A fifth of the sites analysed applied ‘account locking’ after multiple failed login attempts.
When live testing the sites, only one gave us a warning that our account was going to be locked after four failed attempts. As discussed on our UK password policy blog, automatically locking visitor account without warning is likely to increase both struggle and the probability of drop off, due to the perceived effort required to re-gain access after an account is locked.
The remaining 80% of sites, offered no visible account locking function when we deliberately tried to login with false details.
Join us in the next post where we’ll be comparing the password policies of the UK and US retail sites from the data we’ve analysed.