Why don't online retailers, banks, or other financial institutions for that matter require users to choose a complex password? This is something that puzzles many security professionals. I do not know the answer but I've got a few thoughts. Let me know if any of these resemble your behavior or attitude when it comes to passwords.
- I don't have anything valuable to protect and I want to remember my password. I thought that at one time...before I ever started banking or shopping online.
- I use the same password on multiple sites because it's easier that way. OK...I'm guilty...but it's actually a thing of the past. I developed a system that helped me create complex passwords with multiple variables (upper case, lower case, numbers, and special characters) that I continue to use to this day. I also use a password manager because it helps me create very complex passwords without needing to remember them.
- Password sounds like a good password...who would guess that? OK..I never tried that one...but I did use easy passwords more than 20 years ago along the lines of DallasCowboys, NewOrleasSaints, etc..
- I never change my password because I know it's a good password and I can remember it. OK, I'll admit to this as well. What about you?
I'm sure this only scratches the surface but you get the idea. I read an article today on "Help Net Security" that discussed the password policies of a lot of very popular online retailers. I was very surprised to find that many of the retailers I visit every day do not have any kind of real password policy that will help force users make wise password choices. I'd be interested to know how many online banks have a good password policy that requires users to choose a complex password. I was surprised when I was researching online financial institutions after my book "Cybersecurity for Everyone - Securing your home or small business network" was published to find many of them only had minimal security requirements (eight characters, no special characters etc).
I'm only sharing my thoughts and opinions on this but I believe it may be a useful dialogue. Retailers are concerned about customers using their sites to generate revenue. It seems that many retailers believe anything that may make your online experience a bit difficult may result in you taking your business elsewhere. I don't think that is necessarily the case because more and more people are shopping and banking online because that in and of itself is convenient. I will concede that there are many people who would take their business elsewhere but Apple and Target both scored scored very well in the "Help Net Security" article while Amazon scored very bad. I don't know the numbers but I suspect Apple nor Target loose many customers because they have a good password policy. I suspect many of their customers appreciate the fact they place an emphasis on security. The article is worth a read and to note the research cited in the article was done by "Dashlane" which provides both a free password manager and a premium option with an annual subscription that is available for many different operating systems (Android, Apple, Windows, etc).
What's not addressed though is the bottom line. While Apple scored very high and Amazon did not score well at all you as the user still have the option to create and use a complex password even when it's not required by the retailers website. I've never used Dashlane but I do use a password manager. I recommend everyone learn a good password system that will allow you to create complex passwords that are easy to remember and also start using a password manager for important websites (retailers, banking etc).
Here is the link to the article; Unsafe password policies leave shoppers vulnerable.