Monday Feb 10, 2014

E-commerce Passwords

If you're like me, you've likely established many accounts with online retailers, many of which also store your payment information.  How easily can hackers guess your password and control your account?  To avoid storing passwords, websites typically store a hashed version in their database.  A secure hash algorithm creates a unique representation of your password that cannot be reversed.  So when you enter your password, its hashed and compared to the stored hash.  If they are the same, then you've entered the correct password.  If the stored hash is stolen, the hacker can't reverse it back to a password, but they can try to guess your password.  That's why its crucial that online retailers enforce good password creation when accounts are created.  That means they should these best practices:

  • Require a minimize length
  • Mix alphas, digits, and upper/lower case
  • Disallow commonly used passwords like '123456'
  • Use email to verify accounts
  • Limit the number of invalid attempts

Of course enforcement is all over the board.  Dashlane, the provider of secure password management software, recently graded the top 100 e-commerce sites on their password management policies.  You can see the results in the infographic below:

The details of the study are available here. According to the study, Northern Tool and 1-800-Flowers allow one character passwords.  Thankfully, most of the retailers send an account confirmation email, and none of those send the password in cleartext.  Want to use 'password' as your password?  No problem at LL Bean, Gap, and Costco.  When you change your password, Blue Nile, Karmaloop, and MLB will email your password in cleartext.  And and Amazon, Aeropostale, and Shoebuy don't limit your password guesses.

As an industry, we can do better than this.

Thursday Mar 29, 2012

Hello PCI Council, are you listening?

Mention "PCI" to any retailer and you'll instantly see them take a deep breath and start looking for the nearest exit.  Nobody wants to be insecure, but few actually believe that PCI does anything more than focus blame directly on retailers.  I applaud PCI for making retailers more aware of the importance of security, but did you have to make them PAINFULLY aware?  POS vendors aren't immune to this pain either as we have to undergo lengthy third-party audits in addition to the internal secure programming programs.  There's got to be a better way.

There's a timely article over at StorefrontBacktalk that discusses the inequity of PCI's rules, and also mentions that the PCI Council is accepting comments until April 15th.

As a vendor, my biggest issue with PCI is that they require vendors to disclose the details of any breaches, in effect "ratting out" customers.  I don't think its a vendor's place to do this.  I'd rather have the trust of my customers so we can jointly solve the problem.

Mary Ann Davidson, Oracle's Chief Security Officer, has an interesting blog posting on this very topic.  Its a bit of a long read, but I found it very entertaining and thought-provoking.  Here's an excerpt:

...heading up the list of “you must be joking” regulations are recent disturbing developments in the Payment Card Industry (PCI) world. I’d like to give [the] PCI kahunas the benefit of the doubt about their intentions, except that efforts by Oracle among others to make them aware of “unfortunate side effects of your requirements” – which is as tactful I can be for reasons that I believe will become obvious below - have gone, to-date, unanswered and more importantly, unchanged.

I encourage you to read the entire posting, Pain Comes Instantly, and then provide feedback to the PCI Council.

About


David Dorf, Sr Director Technology Strategy for Oracle Retail, shares news and ideas about the retail industry with a focus on innovation and emerging technologies.


Industry Connect


Stay Connected
Blogroll

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
27
28
29
30
   
       
Today