Dashlane, a password management company, has just published a study finding that 46% of consumer websites fail basic password security requirements. In the Dashlane 2017 Password Power Rankings study the company looks at the password practices of 40 popular consumer and enterprise websites. Dashlane discovered that websites such as Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements.
The company says the most popular websites were also the least likely to provide guidance on secure password policies. Of the 17 consumer sites that failed Dashlane’s tests, eight are entertainment/social media sites, and five are e-commerce. Researchers were able to even create passwords only using the lowercase letter “a” on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5.
“We created the Password Power Rankings to make everyone aware that many sites they regularly use do not have policies in place to enforce secure password measures. It’s our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account,” said Dashlane CEO Emmanuel Schalit. “However, companies are responsible for their users, and should guide them toward better password practices.”
To determine the ranking, Dashlane researchers examined sites against password security criteria, such as requiring eight or more-character passwords with a combination of letters, numbers, and symbols, and offering two-factor authentication. A site received a point for each test where it performed positively, for a maximum, and top score, of five. A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security (complete methodology below).
Consumer Rankings:
- 5/5 Score (Best)
- GoDaddy
- 4/5 Score
- Apple
- Best Buy
- The Home Depot
- Microsoft/Live/Outlook
- PayPal
- Skype
- Toys “R” Us
- Tumblr
- 3/5 Score
- Airbnb
- Slack
- Snapchat
- Staples
- Target
- Twitch
- WordPress
- Yahoo
- 2/5 Score
- Amazon
- eBay
- Starbucks
- Venom
- 1/5 Score
- Dropbox
- Evernote
- Macy’s
- SoundCloud
- Walmart
- 0/5 Score (Worst)
- Netflix
- Pandora
- Spotify
- Uber
Enterprise Rankings:
- 5/5 Score
- Stripe
- QuickBooks
- 4/5 Score
- Basecamp
- Salesforce
- 3/5 Score
- GitHub
- MailChimp
- SendGrid
- 2/5 Score
- DocuSign
- MongoDB (mLab)
- 1/5 Score
- Amazon Web Services
- Freshbooks
Methodology
The study was conducted by Dashlane researchers from July 5 – July 14, 2017. The researchers examined (5) password security criteria on 37 popular consumer websites and apps, as well as 11 popular enterprise websites. A site received a point for each criterion they performed positively, for a maximum, and top score, of 5. A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security.
- 8+ Characters
Tested by creating a new account on each website. Dashlane researchers attempted to create passwords less than 8 characters irrespective of the sites’ stated minimum password requirements.- Alphanumeric
Tested by creating a new account on each website. Researchers attempted to create passwords with all letters (“aaaaaa”) or numbers (“111111”).- Password Strength Assessment
Tested by creating a new account on each website. If the site provided any notification, such as a meter or color-coded bar, they were credited as providing an assessment. Sites that only provided confirmed password length or where requirements were met did not receive credit.- Brute Force Attack Simulation
Researchers attempted to login using incorrect passwords. If the tester was able to continue entering incorrect credentials after 10 attempts without receiving any security mechanism, such as a CAPTCHA code or the account automatically locking, the site did not receive credit.- 2-Factor Authentication
A site was given credit if they offer any 2-factor or multi-factor authentication.
You can also check out Dashlane’s infographic below for more information.
What do you think of Dashlane’s findings? Let us know in the comment section below, or on Google+, Twitter, or Facebook.