Popular business web apps fail to implement critical password requirements

Specops Software released new research finding cybersecurity weaknesses in business web apps including Shopify, Zendesk, Trello, and Stack Overflow.

web apps password requirements

Amid a wave of cybersecurity incidents related to the COVID-19 pandemic, remote work, and nation-state activity, password security is more important than ever. However, this new research reveals that several popular business web applications have failed to implement critical password and authentication requirements to protect customers.

Specops’ analysis found inadequate password and authentication requirements that could leave customers vulnerable, including allowing users to set weak and breached passwords, often with little or no strong authentication in place. On the other hand, email marketing service Mailchimp proved to be the most secure service analyzed, blocking 98% of known breached passwords.

Detailed findings about each service’s password requirements include:

  • Shopify fails to prevent any compromised passwords, with its only requirement that passwords be at least 5 characters. When checking the list of 1 billion known breached passwords, the Specops researchers found that 99.7% of the passwords meet Shopify’s requirements.
  • Zendesk prevents less than 2% of compromised passwords, with password requirements including that passwords be a minimum of 5 characters, fewer than 128 characters, and different from a user’s email address.
  • Trello blocks less than 13% of compromised passwords, requiring only that passwords be at least 8 characters in length.
  • Stack Overflow prevents 46% of compromised passwords, with requirements that passwords be a minimum of 8 characters and include a number and special character.
  • Mailchimp blocks 98% of known compromised passwords, with requirements including an 8 character minimum and a mix of upper and lower case letters, numbers, and special characters.

“While people are taught to secure their computer with antispyware, antivirus, and antimalware software due to hackers, they aren’t taught how relentless hackers are with passwords. A breached password can cause a lot of financial and personal damage. What’s most shocking about these findings is that despite web services’ popularity, these web applications have not taken the necessary steps to reduce the risk of their customers becoming victims of cybercrimes. In fact, they’ve actually increased the chances of this occurring by not implementing critical password and authentication requirements,” Darren James, Head of Internal IT, Specops Software told Help Net Security.

“Take Shopify, for example, one of the world’s most popular eCommerce platforms. Our findings showed that Shopify fails to prevent any compromised passwords. With only one password requirement, being at least 5 characters, 99.7% of the 1 billion known breached passwords met Shopify’s password requirement,” James concluded.

Shopify, Zendesk, Trello, and Mailchimp offer multi-factor authentication as an option when creating an account, but it is not a requirement. While Mailchimp and Stack Overflow have the most stringent password requirements of the services analyzed, neither requires multi-factor authentication or checks user passwords against compromised passwords.

Don't miss