Infographic: 64% of Online Retailers Have Serious Password Problems

A new study found that most online retailers are putting very little effort into helping their customers create strong passwords.

These days, we're trusting more and more online retailers to protect our data. Many websites require you to make an account, even if you only plan to shop there once. Faced with the difficult task of making up a unique password for tens, maybe hundreds of sites, many of us fall back on the bad habit of using bad passwords. Unfortunately, a new study showed that 64% of online retailers don't seem to care whether their shoppers are making strong passwords or not.

Apple has the Best Password Policies

Dashlane, an online password management company, ranked the top 100 e-commerce websites (as determined by Internet Retailer's 2013 Top 500 eGuide) according to 24 different criteria, such as whether a site accepted weak passwords like "123456" or "password." Retailers could earn a score ranging from -100 to 100, and the vast majority (64%) earned a negative store. The study found that 55% of retailers accepted very weak passwords. And 51% of sites made no attempt to block account access after 10 incorrect password entries — including Amazon, Dell, Best Buy, and Macy's.

Apple, Newegg, and Microsoft took the top spots in the study's ranking of the best online retailers in terms of password security, while MLB, Karmaloop, and Dick's Sporting Goods had the worst scores. However, only Apple earned a perfect score of 100.

"The danger with a weak password policy is that it leaves users' personal data vulnerable," the study's press release read. "The weaker the password, the easier it is for hackers to break into an account. Therefore, sites with lenient password policies are leaving their users exposed to greater risk." See the infographic below for more of the study's findings. (You can click on the image to see a full-size version.)

secure retailers infographic

Readers, how do you protect your information online? Do you have a mental list of 700 super-secure passwords? Or do you use "password" for everything and damn the consequences? Share your secrets (but not your passwords) in the comments below!

Michael Bonebright
Former Senior Blog Editor

Michael added the finishing touches to most of the Blog articles on DealNews. His work has appeared on sites like Lifehacker, the Huffington Post, and MSN Money. See him rant about video games by following him on Twitter @ThatBonebright.
DealNews may be compensated by companies mentioned in this article. Please note that, although prices sometimes fluctuate or expire unexpectedly, all products and deals mentioned in this feature were available at the lowest total price we could find at the time of publication (unless otherwise specified).


Leave a comment!

or Register
I use a different randomly generated password for each site and use KeePass Password Safe ( to keep keep track of it all. It's a free open source application with ports for many other devices including Android, iPhone, Mac OS, Windows Phone, and Blackberry. For added security you can create a key file that prevents anyone from opening your password database, even if they know your master password, unless they also have the key file. It also has auto-type (auto login), a password generator, and records a history so if you need to loop up your previous password you can still find it.
I use Lastpass (which is awesome by the way) and every where I can I make as complex and long passwords as possible - particularly shopping sites. It's surprising to me how many sites don't allow long passwords either - Lastpass allows you to use up to 100 characters which I use wherever possible cause I don't have to remember them. Even Microsoft only allows 16 (or 20?) characters, and some sites only allow 8 or 10. That is weak. I also use Google Authenticator to add another layer of security, and too few sites support that.
Greg the Gruesome recently (1/28/14) reviewed a bunch of password managers:,2817,2407168,00.asp

I hate those security questions some sites make you answer to recover or reset your password. Either the answer may well be known by someone who knows me or I have difficulty remembering what answer I gave when I set it. I read something at Krebs on Security that said an identity thief may be able to find out your answers by doing research.
I feel quite secure that nobody is going to be able to hack my Apple password since it is often nearly impossible for me to log in myself. These aren't nuclear weapon launch codes we're protecting. My biggest irritation is that most sites no longer allow password "retrieval". Then, to make things even more inconvenient, Apple does not allow us to reset our password to a password we have used before. This creates a snowball effect of either, harder to remember passwords or easier to guess passwords.

I can't help but wonder how many Apple user have their "strong" passwords written on a sticky note on their monitor right now.