Why many websites don’t have security as a priority

As part of my new job online security is paramount. To this end, for a number of months I’ve been ploughing through my online accounts and updating passwords to be unique and strong. A password manager is essential to this – I use LastPass but 1Password is also recommended. I also changed my email address recently too so I’ve been taking the opportunity to update that as well.

Unfortunately, some websites, and retailers in particular, don’t seem to want to help out, making it difficult, one way or another, to be as secure online as you’d like.

Here are my particular favourites and, in all cases, I’ve contacted the retailers concerned. None replied except Wordery who said they were “always making improvements”.

Personally, I don’t think this is good enough – security should be a priority for any site, particularly retailers. Long, complex passwords should be the norm, as should 2FA options (which, sadly, is still a rarity).

Unable to paste into password fields

Yep, the web site doesn’t allow you to use the paste feature, which means using a long, complex password generated by a password manager is out of the question. Argos, is an example.

Unable to change your email address

As made as this seems, yes, some web sites don’t have the option to change your account email address. Wordery is one such retailer and I had to privately message them on Twitter to get them to close my old account so I could set up a new one using my new email address.

Only Insecure Passwords Accepted

Some web sites have restrictions on new passwords which means they’re not particularly secure. I use at least 24 characters and used mixed case, numbers and symbols. Some sites will only allow much shorter passwords and, often, don’t allow symbols.

My favourite here is LG. Rather than explain, I will simply quote their own password rule from their website…

Your password needs to be more than 8 digits using a mix of English letters/characters, numbers and special symbols, OR more than 10 digits using a mix of English letters/characters and numbers only.

Not at all confusing. So, basically, you can use symbols unless your password is more than 10 characters, in which case you can’t. Because, after all, they can’t have us being too secure, can they?

However, it gets better because, after generating a randomised 24 character password of letters and numbers, the site rejected it, telling me I couldn’t use serial numbers. This appeared to be the site’s default response to anything look anything like a plain English word – you know, the kind of thing that’s less secure.

Breaking Access

What I mean by this is by changing to a secure password, then making it so that you can no longer access your account. The best example I’ve had of this was the password for my TP-Link router. I changed it to a secure password, which forced it to log me off. I then went to log in and it wouldn’t accept my new password. Or my previous one. In the end I had to factory reset my router.

It turns out that the router doesn’t allow passwords with symbols or  longer than 15 characters. But it didn’t check – it accepted my password but then didn’t let me back in (I don’t know if trying the first 15 characters of my password would have worked).

John Lewis too does much the same thing – try and change your password on their site and they will allow you long passwords, but when it comes to logging in, they’re limited to 20 characters (the solution here is to just type the first 20 characters of your password in).

Talk to me!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: