Password Power Rankings: a Look At the Practices of 40+ Popular Websites

Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.

U2F to the rescue!

[icknay]

If you really want it locked down, U2F (2FA device standard) is the way to go. Currently only supported by technically leading sites: google, facebook, github, but jeez it's such a huge improvement over passwords or password managers. One neat side effect of U2F is that with it in place, the password can be super simple, since with U2F the password is not very important. See the U2F FAQ: https://medium.com/@nparlante/...

Passwords not usually the only way in

Many websites have good password policies - however, too many of them have entirely vulnerable account/password recovery systems.

I am reminded of this story about a clever attacker who convinced GoDaddy to let them into the victim's account by means of the last four digits of a credit card number provided over the phone by PayPal's recovery process: https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd

Securing a site against password-based attacks is a solved problem. Figuring out what to do when people forget their passwords is still hard.

Re:Uh

[Zumbs]

To clarify, the author of complex password policies that have lasted 15+ years had regret for one reason; the rules were too complex for users. In other words, he underestimated just how stupid and ignorant the masses are.

Force complex passwords? Users write them down. Every time. And "hide" them in the same stupid place.

I'm registered at more than 50 sites (including work). How do you expect a sane person to remember that number of reasonably strong passwords? And change them at regular intervals?

My point is that the strong password system may work well if you have a small number of passwords, but once the number of passwords increase beyond maybe a handful, the password system breaks. The problem is not stupid users; the problem is the notion of requiring users to remember many passwords. Something better is sorely needed.