Passwords are fundamental to security. But at the same time, they can also be an infosec Achilles heel, particularly if a user is careless with their credentials, or if a site improperly manages or stores them.
Dashlane, which produces the password manager of the same name, today published its Password Power Rankings survey. This examines the password security practices of major consumer and corporate SaaS and media services, and the results are pretty shocking.
Almost half (46-percent, to be precise) of consumer sites have failed to implement the most rudimentary password security policies. That’s also true of 36-percent of enterprise sites, including (astonishingly) Amazon Web Services.
Sites were ranked from zero to five, with zero being the worst possible score, five being the best, and three being a passing grade. In ranking sites, DashLane looked at five different things:
- Password length: Does the site mandate that all passwords are over eight characters?
- Password complexity: Does the site prevent users from creating passwords like ‘aaaaaa’ or ‘111111’? Shockingly, the researchers were able to create passwords with nothing but the lowercase letter ‘a’ on Amazon, Google, Instagram, and Venmo.
- Password Strength Assessment: Does the site tell the user how strong (or otherwise) their password is, either through a meter or a color-coded bar?
- Brute Force: After ten failed attempts, does the site take action to stop a brute force attack, either by locking the account or presenting a CAPTCHA?
- 2-Factor Authentication: Does the site require the user confirm their identity, either through a token sent via SMS, or using an authenticator app?
On the consumer side, only one site got a perfect score, and that’s GoDaddy – a popular web hosting platform. Other sites that got a passing grade include (but aren’t limited to) Apple, Microsoft, Tumblr, PayPal, Reddit, and Slack.
Unfortunately, Netflix, Pandora, Spotify and Uber all scored a zero. That means, at the time of the survey, they hadn’t implemented any of the basic password security features above.
On the enterprise side, things are a little better, with both Stripe and QuickBooks getting perfect stores. No company got a zero, although the lowest-ranked services, namely Amazon Web Services and Freshbooks, both scored one out of five.
Unfortunately, surveys like this will never be able to tell you the full story of how sites are securing passwords. No amount of two-factor authentication can stop a hacker from splashing your credentials onto PasteBin, if passwords are stored in plaintext, and there’s an unpatched SQLi knocking about somewhere. That said, it seems unlikely companies will be chomping at the bit to tell you how their web applications work.