Security Experts:

Most Web Services Don't Care How Weak Your Password Is

Password Strength Not Enforced by Popular Websites

GoDaddy has the best password policy among consumer websites; Netflix, Pandora, Spotify and Uber have the worst. This is the finding of a new study into the password practices that different companies encourage or force onto their users.

Dashlane, developer of the Dashlane password manager app that can synchronize passwords across all platforms, has published the findings of its 2017 Password Power Rankings study. It used five researchers to examine the password security criteria of 37 popular consumer sites, and 11 popular enterprise sites. Each site was given one point for each of five good practice criteria.

The criteria tested were password length (that is, at least 8 characters); a required mix of alpha and numeric characters; a password strength assessment tool (such as a color-coded or measurement bar); brute-force challenge or account locking (after ten false logins); and an MFA option. Three points out of the maximum five are considerate to be 'adequate' for the minimum threshold for good password security.

Dashlane accepts that password choice is the responsibility of end users, but believes that the service websites also have a responsibility to help the user. "It's our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account," said Dashlane CEO Emmanuel Schalit. "However, companies are responsible for their users, and should guide them toward better password practices."

Of the 37 consumer sites examined, only GoDaddy received a 5/5 score. A further 19 sites are deemed adequate, with either 3 or 4 out of 5. At the top end, this includes many of the sites that could be expected to do well: Apple, Microsoft, PayPal and Skype. Only just adequate includes Facebook, Google, Reddit, Slack, Snapchat, WordPress and Yahoo.

More worrying, however, are those that failed. Amazon, eBay, and Twitter were among those scoring just two points. Dropbox, Evernote and Pinterest scored only one point; and of course, Netflix scored zero.

There is a similar divergence of scores among the enterprise websites. Only Stripe and QuickBooks got top marks, with Basecamp and Salesforce gaining a credible four points. GitHub, MailChimp and SendGrid are 'adequate' with three points. DocuSign and MongoDB (mLab) scored a disappointing two points; while, worryingly, Amazon Web Services and Freshbooks scored only one point.

It should be stressed that this survey relates only to the way in which the service provider helps the user in password choice and use -- it says nothing about the overall security posture of the website itself (for example, whether behavioral access controls are implemented internally and operated passively). Nevertheless, user credentials are frequently involved in data breaches, and service providers should do everything possible to strengthen their defense.

Dashlane noted a few very worrying specifics. Its researchers were able to create passwords using nothing but the lower-case letter 'a' on sites that include Amazon, Dropbox, Google, Instagram, LinkedIn, Netflix, Spotify, Uber, and Venmo. Netflix and Spotify actually accepted 'aaaa' passwords. The concern here is that if such simple passwords are acceptable, many users will choose a similarly simple -- and common -- password.

Earlier this year, an analysis of 10 million passwords revealed that the 25 most popular passwords are used to secure over 50% of accounts. Dashlane's recommendation to online service providers in such cases is basically fourfold. Firstly, passwords should have a minimum length of eight characters. Secondly, they should be required to be a case-sensitive mix of upper and lowercase alpha and numeric characters. Thirdly, the service provider should ban the most popular passwords. And finally, in case an attacker is working through a list of common passwords, an automatic account lock should be applied after a pre-defined number of failed accounts.

While such practices from the service providers will help the user, every web user must remember that that it is his or her responsibility to choose a strong and unique password for each different account.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.