Grade

45/100

F

Grade Breakdown

Username and Password Limitations

Costco users log in with an email address and password. Costco has the following password requirements:

• Between 8 and 16 characters
• 1 upper-case letter
• 1 lower-case letter
• 1 number
• 1 special character, excluding "<" ">" ","

Minus 2 points for the 16-character maximum, which pushes the limit of easiness to crack. Minus 0.5 points for specific requirements that make generating a password cumbersome.

2.5/5

Multi-factor Authentication

Costco has no way to configure login MFA.

0/5

"Forgot Login" Flows

Costco has one flow for forgotten password. It asks for an email address to send a reset link to. The messaging is the same whether or not the email address entered is associated with an account.

In summary: a user's email would have to be compromised in order to break into their account with this flow, and this flow cannot be used to look up if a user is using a certain email address.

5/5

Account Change Notification

Costco sends an email notification if the password is changed. In order to change the email address used for login, the user has to verify using their old email first.

5/5