The e-commerce business has been growing exponentially for the past 10 years. Hundreds of thousands of businesses have moved online and millions of users have taken their shopping to the Internet. During this rush, everyone seems to ignore security, as a concept and requirement. E-commerce businesses focus on uptime, ease of use and aesthetics when delivering their services, while leaving security as a secondary objective. Securing an online service involves some costs in time and money and usually create an additional administrative overhead, because in order to ensure effectiveness of the implementation, the security measures would need monitoring and maintenance. At the same time, too much user-facing security in place (like CAPTHCA codes, secret answers, etc.) can affect the user experience, and may drive customers (especially the security unaware) away. There are a number of important general security features that all e-commerce websites should have: authenticated access, encrypted traffic, secure storage of customer data, up to date website technology to minimize the risk of technical vulnerabilities, appropriate password policies for their customer base and last but not least, security-aware website implementation to prevent web attacks.

Security is a process, so along with these features as part of the web service design and implementation, there are tasks that need to be carried out on a regular basis, such as ensuring that the security measures function properly (the website is periodically scanned for vulnerabilities, secure password policies are in place, etc.). Usually e-commerce businesses outsource part of the security requirements to third-party, particularly the ones dealing with customer private data. However there is one aspect that cannot easily be outsourced: authentication to their own website, as part of the shopping user flow.

Password policies: the facts

Authentication is an important security measure meant to protect the business from abuse and fraud, while protecting users from identity theft or fraud. One of the pillars of web authentication, along with the quality of the implementation of the authentication mechanism itself, is the password policy. Password policies regulate the minimum complexity requirements for the passwords used in the authentication process.  Passwords play a major role because they control access to the customer’s profile on the website. Anyone who guesses a customer’s password will gain access to shopping lists, transactions, payment methods, payment details and personal information, and can use the information for malicious activity ranging from credit card fraud to identity theft.

Essentially, poor password policies have the potential of rendering the rest of the security measures in place useless. If passwords are easy to guess, then accounts will be hacked and both customers and businesses will be affected. So the question is, why do so many business not have adequate password policies in place? Dashlane carried out a study among the top 100 e-retailers in the US and published their findings in “The Illusion of Personal Data Security in E-Commerce: Dashlane Q1 2014 Personal Data Security Roundup”. The numbers do not look good for online retailers:

  • 55% accept notoriously weak passwords like “123456” or “password” – no protection for unaware customers;
  • 51% do not lock accounts after multiple failed log in attempts– making users susceptible to successful dictionary attacks for password guessing;
  • 8% send passwords in clear text across the Internet – exposing customer authentication details to man-in-the-middle attacks.

More than 60% of the sample e-commerce websites were found as not having adequate password policies in place, and/or not providing any advice to their customers on how to create a secure password. The vast majority do not provide an indicator of the password strength either, making it difficult for the users to select an appropriate password.

From the end user perspective, security is cumbersome as well. Most do not realize the importance of passwords, beyond the fact that one is needed to protect an account. “Anything would do, as long as I can remember it”, is a common belief when it comes to passwords. People do not remember complex passwords anyway and usually find the entire registration process annoying. Hence, password creation as part of the account registration is just another form that needs to be filled in, as fast as possible.

When combining the two perspectives, we arrive to the context nowadays: people do not use safe passwords and most e-retailers do not enforce them. Consequently, more accounts will get hacked and the reputation of the e-retailers will be affected, while both end users and e-commerce business will suffer financially or legally. E-commerce websites contain all the data a hacker needs to steal money and identities and the key to all this data is the password. Weak passwords are a cause of concern in the IT community, but websites still do not implement adequate policies to eliminate them. All these are happening in spite of security reports showing alarming numbers, and the availability of automated tools that perform penetration testing using password guessing techniques similar to the ones used by hackers to steal data. Security standards and regulations imply the use of penetration testing tools to detect security flaws, including the use of weak passwords, however adoption of such strategies is rather slow, mostly because, in most cases, the requirement is implied rather than specific.

Having a solid password policy in place is key

In order to improve, e-retailers should:

  • Implement appropriate password policies that prevent the use of weak passwords.
  • Help customers build a secure account by informing them about the risks and properly guiding them through the registration process.
  • Make sure their websites are vulnerability free by performing regular vulnerability assessments.
  • Make sure their user base does not have weak passwords by carrying out periodic password strength assessments using appropriate penetration testing tools.



Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.