Password Study: Most Sites Inadequate On Security

John Lister's picture

A new study reviewed security among leading online companies following the Heartbleed bug scare, in which a commonly used encryption technique for secure websites had the capability to expose highly confidential data.

The study comes from Dashlane, a password management firm. The study evaluated 80 web sites and examined 6 factors with regard to the way passwords and login processes are handled. Using these details, Dashlane ranked each site between +100 and minus -100.

Based on a range of security issues, the study suggests Apple and Microsoft have the securest policies for passwords, while dating site Match.com earned the lowest rankings, with Amazon trailing not too far behind.

Most Sites Inadequate On Security, Study Suggests

According to Dashlane, a site that scored +50 or more could be considered as adequately secure. However, 80 percent of sites in the study failed to meet this threshold. (Source: nbcnews.com)

The only perfect ranking of +100 went to Apple. It was followed by Windows Live / Hotmail with +85, and Microsoft Store and UPS with +75. Ironically the two sites both with +70 were security software giant Kaspersky and Target; the latter was a victim of a spectacular credit card data heist last year. (Source: dashlane.com)

Match.com's ranking of -70 was followed by Hulu and Overstock with -55 and furniture designers Fab with -55. Several firms had a ranking of -45 including the world's largest online retailer, Amazon.com.

Dashlane Study Scrutinizes Six Security Factors

The first factor the study looked at was the minimum password length required on the site. It's particularly important, as every added character makes a password at least 36 times safer (based on 26 letters and 10 digits), or more if symbols are allowed. The second factor was whether the site required alphanumeric passwords, meaning users had to include at least one letter and one number in the password.

The third factor is whether the site displays a "strength meter" when customers are creating a password, which can encourage users to choose a more complex and thus secure option. The fourth factor was whether the site required users to confirm a password change by responding to an email.

The fifth factor was whether an account was automatically locked out if a user made 10 consecutive incorrect attempts at typing a password. The sixth factor was the simple issue of whether a site allowed users to choose "password" as their password.

Aside from using the email verification for changed passwords, Match.com failed on every measure in the study. It even allowed a single character password such as "a".

What's Your Opinion?

Does a website's password requirements affect your decision on whether or not you use the web site? Do you go above and beyond the minimum requirements of a site when choosing a password? Would you favor industry standards among online retailers so that big name firms are not allowed to permit weak passwords? Lastly, do you use an automated password generating program, such as Roboform to securely generate and store your passwords?

Rate this article: 
Average: 4.8 (6 votes)

Comments

BikeMobile's picture

My passwords are of varying degrees of complexity, as I judge the risk of a site, and changed on a regular basis. My password list is on paper, one copy, and two encrypted files, one on a flashdrive. I have declined to do business with some sites due to perceived password and security deficiencies. Notably Amazon, who cancelled an order I had placed due to a dug-up problem with a check that didn't clear the usual way, eight years ago. No problem with the purchase or payment that check was written for, just didn't go through the usual paper trail and Amazon's creative offshore credit checkers decided I was too great a risk to allow the purchase. Amazon is the greater risk. Roboform or another password manager is probably a good idea, but I am typically slow to do what I should. Am watching for news of the "next big thing" in account security: biometric, rolling-code, ...

Dennis Faas's picture

I have a fingerprint reader which is compatible with Roboform. I use Roboform to generate random passwords that are 16-24 or more characters (depending on the website's maximum allowable password length).

I use upper and lower case, plus symbols for my passwords (again, if it's allowed). All passwords on all sites I use are unique. If my fingerprint reader doesn't work, I still have a master password to unlock all my passwords using Roboform.

f58tammy's picture

I find it interesting that they didn't include the secondary security i.e. a picture or the separation of username first page and the password on the second page, in their study.

Personally I would be more concern with the level of encryption of personal data kept on their servers. The above mentioned credit card theft had nothing to do with username or passwords, instead it was where and how the encryption keys were kept on the servers to access the card numbers and codes (that 3 digit number on the back of the card). Maybe it is time for credit cards numbers to be included in the need of complexity, and start using a alphanumeric with special characters in the creations of accounts. Again it would be up to how the encryption keys were managed.

The Target issue should have been the much needed wake up call for all online business on how they handle the security of information. Usernames and passwords can eventually be found no matter of there complexity.