Two thirds of the UK’s top 100 e-retail brands use password security so rudimentary consumers are allowed to secure accounts using passwords as weak as ‘123456’ or ‘password’, an analysis has discovered.

Password management outfit Dashlane assessed sites using 11 criteria, including the way accounts are created and changed, which passwords are deemed acceptable, and how quickly incorrect password attempts lock an account.

The results make for depressing reading. Password creation was often laughably weak, with 66 percent accepting any six-character string, something that lures users to use weak combinations that are simply easier to remember. 

Brands with this approach included Tesco, H&M, Simply Be, Schuh, and Banana Republic, with ASOS, Cineworld, and Ann Summers also weak.  Only 14 percent offered any kind of meter to assess password strength and some even accepted current passwords as a new password.

Two thirds also made no attempt to block password attempts after ten incorrect guesses, with offenders here including Amazon UK, Next, Tesco and New Look.  A quarter – including The Body Shop, Superdrug, and Clarks - sent password reminders to users in plain-text emails.

The worst overall score went to Urban Outfitters, just behind the almost as bad Charles Tyrwhitt, Teletext Holidays, Superdrug, Laura Ashley, and Laura Ashley. Ridiculously, TK Maxx also scored very poorly despite being a name associated in the US with a major data breach in 2009.

“The danger with a weak password policy is that it leaves users’ personal data vulnerable. The weaker the password, the easier it is for hackers to break into an account. Therefore, sites with lenient password policies are leaving their users exposed to greater risk,” said Dashlane.

The risk is twofold. If a firm suffers a data breach, poor passwords make it easier to break into accounts even when a database has been stolen in encrypted form - attackers just guess using lookups of common choices. Hackers then try the same passwords on other popular accounts using the same email address, compounding the damage.  

“Overall our study found that the bigger the organisation, the safer the website was in terms of data protection, according to the strong correlation of rank and revenues.”

Interestingly the top-scoring firm with a perfect 100 was Apple, with Travelodge UK, B&Q, Premier Inn, and Williams Sonoma not far behind. As a firm that suffered a data breach in 2011, Travelodge's good performance is encouraging.

Despite the generally poor standards exposed by Dashlane, UK e-commerce sites scored better than their US or French counterparts.