A new report from password management firm Dashline, Inc. has found that a majority of America’s most popular e-commerce sites these holidays fail a basic password security test.

The report named the Ecommerce Security Roundup, examined the password security policies of 25 of the most popular online retailers in the United States on 22 criteria with each criterion being given a +/- point value that enabled a website to receive a score between -100 and +100.

A score of +50 is Dashlane’s minimum requirement for good password practices.

Based on the criterion the report found that a remarkable 80 percent of the sites tested do not meet the minimum secure password threshold.

72 percent of test sites were found to not require a password with a capital letter and a number or symbol (a de facto password security basic in 2015) with 56 percent of sites allowing users to have a password less than eight characters long, including IKEA, Macy’s, and eBay.

It that’s not bad enough 32 percent of sites tested had such pathetic password security that they accepted the ten most common passwords, including:

• password
• 123456
• 12345678
• abc123
• qwerty
• monkey
• letmein
• dragon
• 111111
• baseball

E-commerce sites guilty on this front included REI, Wayfair, Walmart, and Amazon.

The good

Not all sites tested were bad with Apple receiving a perfect score, making it the highest ranked site in the study.

To obtain this score and likewise provide improved security for its customers, Apple requires long, complex alphanumeric passwords, and does not accept easily hackable passwords.

“Apple’s password security policies should serve as the gold standard for online retailers,” Dashlane Chief Executive Officer Emmanuel Schalit said in a statement.

“By requiring their customers to create strong passwords they are ensuring they have a strong first line of defense. We applaud other retailers, such as Best Buy and Target, who have also made great strides towards in making password security a priority.”

Other sites that had strong password requirements included Target, ToysRUs, Best Buy, and Bed Bath and Beyond.

The report, which the company releases every quarter, did have some other positive news with the scores improving slightly from previous surveys, although it would appear to be not nearly quickly enough.

“It is encouraging to see positive password security trends in the world of e-commerce,” says Schalit. “Yet, while the numbers indicate retailers are moving in the right direction, much work remains. It’s 2015, so no website has an excuse for not implementing security policies that will better secure their users.”

A full copy of the report can be downloaded here.

Image credit: 49889874@N05/Flickr/CC by 2.0