Password manager Dashlane has published its 2017 Password Power Rankings. The results are likely to come as a surprise to many. This is not just about how bad the password policies are on some sites. It also looks at how site owners are helping users choose better passwords.
Dashlane CEO Emmanuel Schalit said: “We created the Password Power Rankings to make everyone aware that many sites they regularly use do not have policies in place to enforce secure password measures. It’s our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account. However, companies are responsible for their users, and should guide them toward better password practices.”
How did Dashlane compare websites?
Dashlane looked at 48 websites breaking them into consumer and business. However, a large number of the consumer websites are also used by businesses. This includes Dropbox, LinkedIn, Evernote, GoDaddy, Google, Microsoft, PayPal and Skype among others. It raises the question of whether a website is consumer or business is a valid comparison.
Each site was expected to pass five separate tests. These were:
- 8+ character password required
- Alphanumeric passwords required
- Password strength assessment
- Logins aren’t brute-forceable
- 2-factor authentication available
It is not a long list and each choice makes sense. It is good to see a test looking at 2-factor authentication which 13 out of 48 failed. That is just over 25% and given that these are all large websites, there is no excuse such as cost or complexity.
Another interesting test was looking to see if there is any password strength assessment. A strength assessment does not necessarily mean a password is secure. However, it does help the user do a better job and can be used to remove the more easily guessed and obvious passwords such as 11111111, aaaaaaaaa and qwerty123. Only 12 websites provided a strength assessment tool and it is something that would take very little effort for the others to add.
The two biggest concerns from these tests are password complexity and length. Only 27 (56%)websites required an alphanumeric password while 23 (48) were happy with passwords of less than 8 characters. Companies in this latter group include Twitter, Walmart, Netflix, Dropbox, Amazon, eBay and LinkedIn. Microsoft has been improving its password strength requirements and maybe that will lead to LinkedIn getting better as well.
Winners and losers
Only three of the websites Dashlane looked at passed all of the tests. These were web hosting vendor GoDaddy, accounting software vendor QuickBooks and online payments provider Stripe. This is a woefully poor number given that the tests were not complicated.
At the other end of the scale, Netflix, Pandora, Spotify and Uber failed every single test. All four of these companies have had data breaches over the last two years. Given the lack of user security this should not come as a great surprise. Customers of all four websites need to do more to protect themselves and not rely on the companies to do it for them.
There are also a lot of websites that only managed to pass just one test. This includes Dropbox, Evernote, Instagram, Macy’s, Pinterest, SoundCloud, Walmart, Amazon Web Services and Freshbooks. The majority did support 2-factor authentication although not Macy’s, SoundCloud and Freshbooks.
Password advice has changed
The best advice is find a service where there is an alternate security or where multi-factor authentication is available. Bill Burr recently spoke to the Wall Street Journal. Don’t know him? Burr wrote what many took to be the authoritative guide to using passwords back in 2003. It was seen as being so good it was distributed by the US Governments National Institute of Standards and Technology (NIST).
Among the things Burr set out was the use of letters, numbers and symbols to create complex passwords. He recommended using number and symbol substitution for letters to make it harder for brute force cracking systems. Perhaps the biggest impact Burr had was to formalise the regular changing of passwords. His advice of every 90 days soon became a corporate standard of every month.
Burr now says he made a mistake and users should take more advantage of password managers. He also said that pass phrases not passwords were far stronger, easier for users to remember and harder to hack.
Dashlane best practice
Dashlane has its own advice but interestingly some of its suggestions pay more than a passing homage to Burr. It breaks its advice down into that for site owners and users saying:
Online Security Best Practices for Consumer/Enterprise Sites Owners and Developers:
- Make 8-character passwords the minimum
- Require alphanumeric & case-sensitive passwords
- Provide a meter or color-coded bar to confirm password length and strength
- Send an email to users when passwords are changed
- Black the most common passwords found on the web
- Consider instituting an account lockout policy to thwart brute-force attacks
- Support 2-Factor Authentication
Online Security Best Practices For Web Users:
- Generate passwords that exceed the minimum of 8 characters
- Create passwords with a mix of case-sensitive letters, numbers, and special symbols
- Always use a unique password for each online account
- Avoid using passwords that contain common words, phrases, slang, places, names, etc.
- Use a password manager to help generate, store, and manage your passwords
What does this mean?
Passwords are increasingly the weak point in security. Part of the problem is the way users create passwords and part of it is the number of passwords people have to remember. Add up the number of work, email, social media, banking, shopping, entertainment and other websites you use that require passwords. It can very quickly come to a hundred or even more. That’s a lot of passwords to remember.
Website owners can also do much more. The fact that almost 75% of the sites tested by Dashlane have 2-factor authentication is a big step forward. However, it does not negate the need for other steps to improve password hygiene and quality.