METHODOLOGY
The study was conducted by Dashlane from January 17-22. The Top 100 e-commerce websites were chosen per Internet RetailerŐs 2013 Top 500 eGuide. Dashlane excluded sites that required a paid subscription to create a new account and conglomerates that owned multiple e-commerce sites. Each site was analyzed based upon a set of a total of 24 criteria. A criterion was noted as positive when it added security, and negative when it added risk. Each criterion was then given a +/- point value enabling each website to have total score between 100 and -100. 
Account creation process: If then If then If then
What is the minimum password length? <=5 -10 >=8 5 6 or 7 0
Is the password visible during entry? Yes -5 No 0
Does the website provide advice on how to create a stronger password during account creation? Yes 25 No 0
Are alpha-numeric passwords mandatory? Yes 20 No 0
Does the site require at least one upper and one lower case letter in the password? Yes 20 No 0
Does the site provide an on-screen password strength assessment during account creation? Yes 30 No 0
Does the account creation confirmation email display the permanent  password? Yes -25 No 0 No email* -5
Does the account creation confirmation email display your permanent password and User ID? Yes -5 No 0 No email* 0
Are these (common & too simple) passwords accepted?
password Yes -1 No 0
123456 Yes -1 No 0
12345678 Yes -1 No 0
abc123 Yes -1 No 0
qwerty Yes -1 No 0
monkey Yes -1 No 0
letmein Yes -1 No 0
dragon Yes -1 No 0
111111 Yes -1 No 0
baseball Yes -1 No 0
Change password process:
After changing your password, does the website send an email confirming changes to your account*? Yes 0 No -10
When you change your password, is your current password accepted as the new password without any warning? Yes -5 No 0
Change or reset password process:
Is the new permanent password visible in the confirmation email? Yes -25 No 0 No email* 0
Is the permanent password and User ID visible in the confirmation email? Yes -5 No 0 No email* 0
Incorrect password process:
Does the website allow you to continue to attempt a login after 4 incorrect password tries? Yes -5 No 0
Does the website allow you to continue to attempt a login after 10 incorrect password tries? Yes -5 No 0
*within 3 hours of action