Elin Hobeck is part of SessionCam’s Insight Consultancy team and works closely with our customers to help them identify website optimizations and improvements.
As part of this role, Elin has been researching password policies in the retail sector.
Over the past couple of months, we have shared Elin’s research on password policies across the top 30 retail sites in the UK and US against five different password factors:
- How many characters a password requires?
- Do they specify a mixture of characters/numbers/symbols?
- Do they offer any password advice on their site?
- Do they advise on unique passwords?
- Are accounts locked after multiple failed login attempts?
In this month’s password policy blog, we are focusing on the differences and any similarities between UK and US password policies.
Password character limits & specifics
Sites from the US specified that passwords should have eight or more characters 15% more than the UK. We found the UK also had more sites which gave no password character limits to their customers, which can add a level of ambiguity to visitors when creating an account.
Across the sites analysed, the UK were more specific and strict with the exact requirements needed to create a valid password, when advice was provided.
However, the UK also had more sites which offered visitors no advice, a total of six. We found that US was more defined in the ‘other’ categories, with sites specifying against spaces, specific symbols (such as < and >) and ensuring no three of the same letters could be listed in a row.
Further password advice offered?
We defined ‘further password advice’ as an area of the site dedicated to offering visitors help and information about passwords and often online security – basically, an area on the site which is not just the account creation form.
The UK was in the lead in offering visitors with extra advice on password creation, storage and requirements.
43% of UK sites provided visitors with more information than can be found in the login area, in comparison to the US, where only 16% of sites provided this extra level of information.
Giving visitors this extra information on password policies is likely to increase their confidence, in not only creating a password but also the site as a whole.
Unique passwords & suggesting password management systems
Of the sites analysed, the UK were more likely to recommend to their visitors that passwords used should be unique, a total of 40% made this suggestion. Only 16% of the US suggested that passwords should be unique.
In addition, none of the US sites we reviewed suggested to their customers that a password manager could be used to store unique passwords. The UK sites, on the other hand, did recommend password managers across 4 of the sites (13%).
Across both the US and the UK sites, less than 50% applied account locking when a visitor attempted to login to their account with incorrect details multiple times.
Account locking should be used with caution, visitors are likely to become exceedingly frustrated if they are locked out of their account without any warning. Out of the sites analysed, when live testing, only 10% locked us out of our own accounts without notice.
From our research, we’ve deduced that the UK and US both take similar approaches to password policies across their sites. However, neither location is consistent with the amount of password advice offered, nor their approach to account management (locking).
In our fourth and final blog of the series, we are going discuss our password policies recommendations, for both visitor ease of use and site security.