Almost half of popular consumer websites have poor password requirements
Although other forms of authentication are gaining traction, the password is still the most common method of identifying yourself to websites. Levels of password security should therefore be an important consideration for online businesses, especially in eCommerce.
But a Password Power Rankings survey out today from password manager Dashlane shows that 46 percent of consumer sites, including Dropbox, Netflix, and Pandora, and 36 percent of enterprise sites, including DocuSign and Amazon Web Services, are failing to implement the most basic password security requirements.
Some of the most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are eCommerce. Most worrying is that researchers were able to create passwords using nothing but the lowercase letter ‘a’ on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others.
To compare sites, Dashlane researchers examined sites against password security criteria, such as requiring eight or more-character passwords with a combination of letters, numbers, and symbols, and offering two-factor authentication. A site received a point for each test where it performed positively, with a maximum score of five. A score of three was deemed as passing and meeting the minimum threshold for good password security.
Hosting service GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect 5/5. Those failing include Amazon, eBay, LinkedIn and Twitter with scores of 2/5, Dropbox and Pinterest with 1/5, and Netflix, Pandora, Spotify and Uber which scored zero. Looking at enterprise sites, Amazon Web Services and Freshbooks both scored zero
"We created the Password Power Rankings to make everyone aware that many sites they regularly use do not have policies in place to enforce secure password measures. It's our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account," says Dashlane CEO Emmanuel Schalit. "However, companies are responsible for their users, and should guide them toward better password practices."
You can see a summary of the findings in the infographic below.