Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com)

Posted by BeauHD on from the password-practices dept.

Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.

5 of 127 comments (clear)

  1. Re:Uh by geekmux · · Score: 4, Insightful

    Didn't we just have a (absolutely stupid) story about how password complexity rules are bad? Which is it?

    (Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)

    To clarify, the author of complex password policies that have lasted 15+ years had regret for one reason; the rules were too complex for users. In other words, he underestimated just how stupid and ignorant the masses are.

    Force complex passwords? Users write them down. Every time. And "hide" them in the same stupid place.

    Don't force complex passwords? Users create shitty passwords, and the Top 10 Shitty Passwords in 2017 are the same Top 10 Shitty Passwords used in 1987.

    Force password changes? Users change from Password1 to Password2. You'll be able to guess their password 5 years from now.

    Don't force password changes? Users never change them. Ever. Even if they are a victim of hacking or identity theft, they insist on keeping the same shitty password they used in high school. If you forced them to change it, they would have to write it down.

    Sorry, but it doesn't matter what NIST or any other standard recommends; All the password rules in the world won't prevent the masses from building a better idiot.

    TL; DR - The problem isn't password policies; it's stupid users.

  2. Stupid Admins by Anonymous Coward · · Score: 5, Insightful

    You can rant about stupid users all you want, they are the users you have. If you have rules that are not reasonably executable by the average user, then your rule is stupid.

  3. Don't care about your site you precious snowflake by FeelGood314 · · Score: 3, Insightful

    Seriously fuck you Help Net Security. I really don't care about the security of most sites enough to have to memorize a unique password for them and most sites actually do understand this. Further if it is a site that I do care about the security I want to be able a secure password that I can remember. TR0b@dor is hard as hell for me to remember and will likely be in the first million passwords a cracking program will try. Second for an online attack you need enough entropy to stop an attacker who is rate limited. So 2^30 is likely strong enough (that's 3 common English words). If someone gets your salted hashed password file you are going to need 2^60 bits of entropy. 6 English words. Making be choose a password that is anywhere between those two lengths is either a waste of my time or insufficient security.

  4. Why is requiring alpha numeric important? by bussdriver · · Score: 3, Insightful

    Requiring UPPERCASE doubles the space while 0-9 only adds 10 digits. It would be better to require mixed CASE than to require digits.

    Also, requiring a symbol then allowing ANY symbol would expand the space to typical symbols people use... probably only about 8 symbols cover 90% of passwords. A full brute force would expand to nearly all of unicode! Emjoii included.

    Requiring a SPACE might only add 1 digit but it would hint to people to add a whole WORD and I bet you get more in practice than requiring digits.

    Strength tests should include the domain name because I've seen some lists where the domain name was used. My own investigating found people will use dates, names, initials, their PIN #, phone, even part of their email address. That kind of easily guessed stuff does not show up in these checkers OR in the stats gathered from break ins. Sites really should not create an account password UNTIL you enter all your account information. The session ID is good enough for tracking logins it surely is good enough to setup an account before creating a password and account name. Everybody does it backwards.

    --
    Democracy Now! - uncensored, anti-establishment news
  5. Re:Uh by jareth-0205 · · Score: 5, Insightful

    Tell me oh massive brained one, how many passwords do you hold in your head? And how many will you still know in a year's time when you haven't used some of them for a while? Also, how many do you think you'll be able to hold in your head when you're 60? 70?

    Passwords are a terrible solution for security, and a solution that we've never as a species had to deal with before. Remembering something that has absolutely no margin for error is hard for squishy brained organisms to do. Password managers are a solution but not exactly a widely spread well-known one, and they have their own issues.

    Also, in your better-than-thou rant you haven't taking into account that worldwide security measures have to *work with stupid people too*. Someone who isn't too clever deserves decent security too, not just you and your Mensa brethren.