A Black Day in Retail Looming for Passwords

This Friday is Black Friday and the following Monday is what has become known as Cyber Monday. It represents the start of the Christmas shopping season and is now one of the biggest weekends for high-street and online retailers in the UK. For many consumers (especially those shopping online) it can also be one of the most frustrating times, with online queuing systems in operation and then when they get through they are expected to register, remember or reset a password.

Even so, in an article published by The Register it is reported that many of the UK’s most popular e-commerce sites have unsafe password practices. It references a study that suggests four in five websites do not require the use of a capital letter and a number/symbol, and more than half allow users to have a password less than eight characters in length.

The reality is that consumers will typically favour convenience over security (even when banking online and in the face of publicised attack and breaches) and retailers ideally want to remove barriers from the shopping experience, not put new ones in place. Most consumers don’t think that a password is there to protect them (and they are right they don’t!). Some security professionals will argue that retailers need to enforce stricter password policies, but that is a tough call when you want to make the checkout process as quick and painless as possible.

Think about what happens when you are in a rush and are asked to create a new password? Chances are you will use the same password that you created moments ago for the last site you visited, or choose something really simple such as 123456. During the Black Friday frenzy you are not thinking about security, just securing the discount, placing the order and moving on to the next site.

If a shopper is asked to create a ‘strong’ password and then it is rejected, as it doesn’t contain the prescribed number of characters or cases etc, then there is only so many times they will try before abandoning their cart and going elsewhere. Interestingly, Amazon has recently introduced two-factor authentication to try and sure up security. It means two methods of identification are required to log in to an Amazon account, such as the password and a PIN that the customers receive via their mobile device. On the plus side it is more secure but it still relies on a password. What is more, at this moment it is an option that customers can elect to use, so it will be interesting to learn what the take up rates are.

Some security vendors suggest that consumers need to be online savvy and take more responsibility themselves such as choosing to use Amazon’s 2FA offering when available, or investing in solutions such as password managers. However, the people who are likely to use these are those that are already security minded and are already predisposed to creating what are wrongly perceived as ‘strong’ passwords. What is more these password managers are just a sticking plaster over the much wider problem of passwords as a viable and sustainable method of authentication.

The retail industry as a whole needs to look at new and better ways of implementing security measures that keep them and their customers safe online, and at the same time removing rather than increasing the barriers to a smooth transaction. This means looking past passwords. There are organisations that are stealing the march on the masses but what we need is a widespread consensus, communication and commitment from commerce and consumers for real change to happen.