Password manager Dashlane has released its 2017 Password Power Rankings, the results of a deep dive into the password practices of over 40 popular consumer and enterprise websites. Apple did well, scoring 4/5 (5/5 is a perfect score).
The tech giant garnered points for “8+ character password required,” “alphanumeric passwords required,” “password strength assessment provided” and “2-factor authentication available.” However, it lost a point as log-ins aren’t “brute forceable.”
In the brute force attack simulation, researchers attempted to log-in using incorrect passwords. If the tester was able to continue entering incorrect credentials after 10 attempts without receiving any security mechanism, such as a CAPTCHA code or the account automatically locking, the site did not receive credit.
Dashlane found that that almost half (46%) of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies.
Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5.
To determine the ranking, Dashlane researchers examined sites against password security criteria, such as requiring eight or more-character passwords with a combination of letters, numbers, and symbols, and offering two-factor authentication. A site received a point for each test where it performed positively, for a maximum, and top score, of five. A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security.