Target Corp. may be engulfed in data security issues, but the strength of customer passwords at Target.com isn't likely one of them.
The Minneapolis-based retailer tied for No. 4 in the nation for its online customer password policies, according to a first-ever study by the company Dashlane Inc., scoring 60 of 100 possible points. Only Apple Inc., at No. 1., scored a perfect 100.
Best Buy Co. Inc. tied for No. 11 with a score of 40. E-tailing colossus Amazon fared poorly with a score of -40, tying for No. 63.
"Anything above 45 is pretty good," said Dashlane CEO Emmanuel Schalit in an interview. "What's concerning in this study is to find so many sites, including pretty large players, that are not paying attention to this problem."
Hackers are armed with increasingly sophisticated tools to break passwords as shopping migrates online. Target and Richfield-based Best Buy are shifting more and more resources online as they work to hold their ground against e-tailers such as Amazon.com.
Only 10 percent of the 100 retailers in Dashlane's study scored 45 or above, and more than half still accept lazy passwords such as "123456," "111111" or even "password," it found. Half of the companies don't block logins even after 10 incorrect password tries, including Amazon, Dell, Best Buy, Macy's and Williams-Sonoma.
In one major D'oh!, Dashlane noted that MLB, the official site for Major League Baseball, allows shoppers to use the word "baseball." Amazon, Wal-Mart, Office Depot and Macy's were among those retailers with scores at or below 30.
Shoppers themselves don't appear to be clamoring for stricter password policies.
A separate poll out Monday in the wake of Target's data breach shows that American shoppers say they are very or extremely concerned about the safety of their personal information in stores and online, but aren't changing their behavior much to protect it. A majority said that since the breach they have not changed their online passwords at store Web sites, asked for new credit or debit card numbers from their bank or signed up for a credit monitoring service. The AP-GfK Poll surveyed 1,060 adults.
Dashlane, a venture-capital-backed password manager in Manhattan that markets to consumers, examined the password policies of the Top 100 e-commerce sites from Jan. 17-Jan. 22. It scored companies from minus 100 to 100 based on two dozen criteria such as how many characters they require, whether they require a mix of numbers and letters, whether they e-mail customer passwords in plain text, and whether they tell consumers setting up an account whether their chosen password is weak or strong. (continued...)
© 2014 Star Tribune (Minneapolis, MN) under contract with YellowBrix. All rights reserved.