Dashlane study says 46% of consumer sites fail basic password security requirements

Dashlane, a password management company, has just published a study finding that 46% of consumer websites fail basic password security requirements. In the Dashlane 2017 Password Power Rankings study the company looks at the password practices of 40 popular consumer and enterprise websites. Dashlane discovered that websites such as Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements.

The company says the most popular websites were also the least likely to provide guidance on secure password policies. Of the 17 consumer sites that failed Dashlane’s tests, eight are entertainment/social media sites, and five are e-commerce. Researchers were able to even create passwords only using the lowercase letter “a” on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5.

“We created the Password Power Rankings to make everyone aware that many sites they regularly use do not have policies in place to enforce secure password measures. It’s our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account,” said Dashlane CEO Emmanuel Schalit. “However, companies are responsible for their users, and should guide them toward better password practices.”

To determine the ranking, Dashlane researchers examined sites against password security criteria, such as requiring eight or more-character passwords with a combination of letters, numbers, and symbols, and offering two-factor authentication. A site received a point for each test where it performed positively, for a maximum, and top score, of five. A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security (complete methodology below).

Consumer Rankings:

• 5/5 Score (Best)
  • GoDaddy
• 4/5 Score
  • Apple
  • Best Buy
  • The Home Depot
  • Microsoft/Live/Outlook
  • PayPal
  • Skype
  • Toys “R” Us
  • Tumblr
• 3/5 Score
  • Airbnb
  • Facebook
  • Google
  • Reddit
  • Slack
  • Snapchat
  • Staples
  • Target
  • Twitch
  • WordPress
  • Yahoo
• 2/5 Score
  • Amazon
  • eBay
  • LinkedIn
  • Starbucks
  • Twitter
  • Venom
• 1/5 Score
  • Dropbox
  • Evernote
  • Instagram
  • Macy’s
  • Pinterest
  • SoundCloud
  • Walmart
  • 0/5 Score (Worst)
  • Netflix
  • Pandora
  • Spotify
  • Uber

Enterprise Rankings:

• 5/5 Score
  • Stripe
  • QuickBooks
• 4/5 Score
  • Basecamp
  • Salesforce
• 3/5 Score
  • GitHub
  • MailChimp
  • SendGrid
• 2/5 Score
  • DocuSign
  • MongoDB (mLab)
• 1/5 Score
  • Amazon Web Services
  • Freshbooks

Methodology

The study was conducted by Dashlane researchers from July 5 – July 14, 2017. The researchers examined (5) password security criteria on 37 popular consumer websites and apps, as well as 11 popular enterprise websites. A site received a point for each criterion they performed positively, for a maximum, and top score, of 5. A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security.

1. 8+ Characters
   Tested by creating a new account on each website. Dashlane researchers attempted to create passwords less than 8 characters irrespective of the sites’ stated minimum password requirements.
2. Alphanumeric
   Tested by creating a new account on each website. Researchers attempted to create passwords with all letters (“aaaaaa”) or numbers (“111111”).
3. Password Strength Assessment
   Tested by creating a new account on each website. If the site provided any notification, such as a meter or color-coded bar, they were credited as providing an assessment. Sites that only provided confirmed password length or where requirements were met did not receive credit.
4. Brute Force Attack Simulation
   Researchers attempted to login using incorrect passwords. If the tester was able to continue entering incorrect credentials after 10 attempts without receiving any security mechanism, such as a CAPTCHA code or the account automatically locking, the site did not receive credit.
5. 2-Factor Authentication
   A site was given credit if they offer any 2-factor or multi-factor authentication.

You can also check out Dashlane’s infographic below for more information.

What do you think of Dashlane’s findings? Let us know in the comment section below, or on Google+, Twitter, or Facebook.

About Dashlane

Dashlane makes identity and checkouts simple with its password manager and secure digital wallet app. Dashlane allows its users to securely manage passwords, credit cards, IDs, and other important information via advanced encryption and local storage.

Dashlane has helped over 7.5 million consumers in 150 countries manage and secure their digital identity. Dashlane Business, a product designed to protect company passwords, is trusted by 6,000+ companies to create, enforce, and track effective access management. Dashlane features the only patented security architecture in the industry.

The app is available on PC, Mac, Android, and iOS, and has won critical acclaim from top publications, including: The New York Times, The Wall Street Journal, and USA Today.