Password Power Rankings: A look at the practices of 40+ popular websites

Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements.

Password Power Rankings

The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane’s tests, eight are entertainment/social media sites, and five are e-commerce.

Most troubling? Researchers created passwords using nothing but the lowercase letter “a” on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others.

GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5.

“We created the Password Power Rankings to make everyone aware that many sites they regularly use do not have policies in place to enforce secure password measures. It’s our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account,” said Dashlane CEO Emmanuel Schalit. “However, companies are responsible for their users, and should guide them toward better password practices.”

Methodology

The study was conducted by Dashlane researchers from July 5 – July 14, 2017. The researchers examined (5) password security criteria on 37 popular consumer websites and apps, as well as 11 popular enterprise websites. A site received a point for each criterion they performed positively, for a maximum, and top score, of 5. A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security.

1. 8+ Characters

Tested by creating a new account on each website. Dashlane researchers attempted to create passwords less than 8 characters irrespective of the sites’ stated minimum password requirements.

2. Alphanumeric

Tested by creating a new account on each website. Researchers attempted to create passwords with all letters (“aaaaaa”) or numbers (“111111”).

3. Password strength assessment

Tested by creating a new account on each website. If the site provided any notification, such as a meter or color-coded bar, they were credited as providing an assessment. Sites that only provided confirmed password length or where requirements were met did not receive credit.

4. Brute force attack simulation

esearchers attempted to login using incorrect passwords. If the tester was able to continue entering incorrect credentials after 10 attempts without receiving any security mechanism, such as a CAPTCHA code or the account automatically locking, the site did not receive credit.

5. 2-factor authentication

A site was given credit if they offer any 2-factor or multi-factor authentication.