The Bitwarden Blog

Industry Leaders Security Rankings: E-Commerce Edition

authored by:
Bitwarden
posted on:
September 27, 2022

When using e-commerce sites, do you find that you can easily utilize strong and unique passwords?

Following the same end user research-driven approach we leveraged for the Banking Edition and Social Media Edition, we recently explored e-commerce. We narrowed our research list to the top 5 e-commerce sites in the United States ranked by total web traffic, which we identified as Amazon; eBay; Walmart; Craigslist; and Etsy. From there, we determined criteria to evaluate password security friendliness, tested the criteria, and now present the findings with a numerical grading system. 

The pandemic greatly accelerated online shopping. That acceleration, while beneficial to e-commerce corporations, means more risk to consumers as more data is being shared, more usernames and passwords are being created, and subsequently, a larger attack surface for cyber-criminals to target. But, staying secure is entirely possible with the consistent use of strong and unique passwords. 

Do these wildly popular e-commerce sites make that possible? First, an overview of our grading criteria.

Criteria

The criteria used to assess password security are:

Does the e-commerce site allow passwords that are at least 40 characters?

Experts advise passwords be strong and unique, with strength being best determined by long, random passwords. In How secure is my password we note, "Short passwords are far more susceptible to a brute force attack, where a computer or malicious software program goes through every 8-digit combination (or more) of characters until it finds a match."

For the purpose of this exercise, we’re specifically evaluating whether organizations allow users to create passwords that are at least 40 characters - a number we settled on because passphrases, which are increasingly popular, tend to be quite long. Plus, password managers - which help people generate, store, and manage passwords - can generate much longer passwords for enhanced security that may exceed the limit.

Does the e-commerce site allow users to paste and autofill passwords?

This is a good thing. Password pasting enables the use of password managers, and autofill enables fast and easy logins.

Does the e-commerce site offer two-factor authentication (2FA)?

This is a good thing. As we’ve said time and time again, two-factor authentication is more secure than simply using a username and password. 

Does the e-commerce site allow authenticator apps?

Does the e-commerce site allow authenticator hardware?

These are both good. Authenticator apps and hardware add extra levels of strong protection and are more secure than SMS text messages. 

Does the e-commerce site send an email informing the user of a password reset?

Does the e-commerce site require the user to login again using the new password?

These are both practical steps. It’s prudent to alert users to a password change they may not have authorized. Requiring them to login again is a security best practice

Password Security Scoring System

The assessment includes a grade for each company. To determine the grade, we assigned either an ✅ (good) and an ⛔ (not good) to the seven questions articulated above. For example, 7/7 ✅ is a perfect score, or 100%. A 5/7 is 71%, which is defined as ‘fair’.

Below is a simple guide to the grading. Below that, you’ll see the grades for each bank.

Grading Guide

85-100%: Good

71-84%: Fair 

0-70%: Room for Improvement

Amazon

Amazon receives a perfect score because it meets all the criteria that enables use of a strong and unique password. Among other things, it does not limit passwords, allows for pasting (a function friendly to password managers), and allows authenticator solutions. This is an encouraging score for the world’s most popular e-commerce site. 

Password Security: Good

Allows passwords ≥ 40 characters 

✅ Allows users to paste passwords 

✅ Offers two-factor authentication

✅ Allows authenticator apps 

✅ Allows authenticator hardware 

✅ Informs users of password reset 

✅ Requires login using new password

PASSWORD SECURITY SCORE: 100%

eBay

eBay does not allow authenticator apps, although users can leverage authenticator hardware

While it informs users of a password reset, eBay does not require users to login again using the new password.

Password Security: Fair

 Allows passwords ≥ 40 characters 

✅ Allows users to paste passwords 

✅ Offers two-factor authentication

 Does not allow authenticator apps 

✅ Allows authenticator hardware 

✅ Informs users of password reset 

⛔ Does not require login using new password

PASSWORD SECURITY SCORE: 71%

Walmart

Walmart has room for improvement on a number of fronts, but not enabling use of 2FA is an egregious and obvious mistake. While the other criteria - allowing authenticator apps, requiring a fresh login - are important, 2FA improvements will go far in improving user security. 

Password Security: Room for Improvement

 Allows passwords ≥ 40 characters 

✅ Allows users to paste passwords 

⛔ Does not offer two-factor authentication

 Does not allow authenticator apps 

 Does not allow authenticator hardware 

✅ Informs users of password reset 

⛔ Does not require login using new password

PASSWORD SECURITY SCORE: 42%

Craigslist

Similar to Walmart, Craiglist also has considerable room for improvement when it comes to both the fundamentals (allowing users to paste passwords, enabling use of 2FA) and the nice-to-haves (allowing authenticator apps).

Password Security: Room for Improvement

Allows passwords ≥ 40 characters 

⛔ Does not allow users to paste passwords 

⛔ Does not offer two-factor authentication

⛔ Does not allow authenticator apps 

 Does not allow authenticator hardware 

✅ Informs users of password reset 

⛔ Does not require login using new password

PASSWORD SECURITY SCORE: 28%

Etsy

Etsy, like Amazon, is a standout. It meets all of the fundamental criteria for facilitating the use of strong and unique passwords, and most of the ‘nice to have’ criteria. The company’s ‘good’ score is well-deserved.

Password Security: Good

Allows passwords ≥ 40 characters

✅ Allows users to paste passwords 

✅ Offers two-factor authentication

 Allows authenticator apps 

 Does not allow authenticator hardware 

✅ Informs users of password reset 

✅ Requires login using new password

PASSWORD SECURITY SCORE: 85%

Conclusion

We can conclude that Amazon comes out on top, followed by Etsy and eBay, with Walmart and Craigslist finishing last. There are a couple of patterns we’ve observed: 4 out of the 5 companies evaluated here allow users to paste passwords, which is a win for password manager fans out there. And, 3 out of 5 enable the use of 2FA. While that may seem encouraging, in the year 2022 that number should be 100%. 

Understandably, this criteria isn’t exhaustive. But, it should give you a sense of how friendly e-commerce sites are to user security and empower you to make the choices you need to bolster your security on some of the sites that may be lagging. Capitalize on the opportunities you’re provided. If the site you use doesn’t enable use of 2FA but does not limit password length, make sure the password you use is strong and unique. If the site does not offer 2FA but allows users to paste passwords, use a password manager - and integrate it with a 2FA solution!

So, how did your favorite e-commerce site perform? Follow Bitwarden on Twitter and let us know.

Get Started with Bitwarden

Ready to try out password sharing with Bitwarden? Quickly get started with a free Bitwarden account, or start a 7-day free trial of our business plans to keep your team safe online.

Industry Leaders Security Rankings Series

Catch up on the rest of the series to see how the top companies in the following industries fair when it comes to allowing consumers to utilize strong passwords:

On this page

Back to Blog

Get started with Bitwarden today.

Create Your Free Account
Language
© 2022 Bitwarden, Inc.
TermsPrivacySitemap