Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com)

Posted by BeauHD on from the password-practices dept.

Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.

4 of 127 comments (clear)

  1. Uh by sexconker · · Score: 5, Interesting

    Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?
    Which is it?

    (Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)

    1. Re:Uh by UnknownSoldier · · Score: 2, Interesting

      > Force password changes? Users change from Password1 to Password2. You'll be able to guess their password 5 years from now.

      That is why I append a 4 digit to the passphrase, of the format MMYY, of when the password expires as a mnemonic for when it expires.

      Your crappy "password1" becomes "password0817"

      Good luck guessing the first part -- the pass phrase, along with the second part -- when it expires.

      > The problem isn't password policies;

      Incorrect. I've seen sites where they had a maximum password length, usually like 8 characters. Seriously, WTF. You are _intentionally_ making your passwords insecure???

  2. Re:Don't care about your site you precious snowfla by tlhIngan · · Score: 3, Interesting

    Seriously fuck you Help Net Security. I really don't care about the security of most sites enough to have to memorize a unique password for them and most sites actually do understand this. Further if it is a site that I do care about the security I want to be able a secure password that I can remember. TR0b@dor is hard as hell for me to remember and will likely be in the first million passwords a cracking program will try. Second for an online attack you need enough entropy to stop an attacker who is rate limited. So 2^30 is likely strong enough (that's 3 common English words). If someone gets your salted hashed password file you are going to need 2^60 bits of entropy. 6 English words. Making be choose a password that is anywhere between those two lengths is either a waste of my time or insufficient security.

    Exactly.

    Your website may not be important to me, so I won't give it a very important password. It may be important to you, but not to me. Especially if you insist on a username and password to do the most basic things.

    You want me to log in to download your free software? Sure, I'll create an account - with a wimpy password. I don't care if that software is your heart and soul and you missed your mother's funeral to release it on time. I just want the file.

    You want me to log in to comment on your article? Well, ditto. Same for forums as well.

    Hell, I fully expect those sites to be hacked, so why use a strong password? Might as well just make it "password" and be done with it - if someone's downloaded the password file then they have all the time in the world to crack it. I might as well assume your site has vulnerabilities that make it easy to steal the password file.

    Oh yeah, my Paypal, Amazon and bank passwords? They're nice and secure.

  3. THE solution: expiry depends on complexity by Gunstick · · Score: 5, Interesting

    Hi

    you chose a password, there is a calculation performed how long a brute force/dictionary attack will take.
    Your password will expire after this time.
    Calculate the time using this calculator (take the botnet time): https://password.kaspersky.com...

    thisisanicepassword => 3 days
    this is a nice password => 40 years (maybe maximize on a top limit)
    12345678 => 1 second
    one two three four => 3 years
    correcthorsebatterystaple => 5 years (hmm, maybe they should add that to an exception list)
    h4Z7p8d0 => 51 seconds
    h4Z7p8d0x3 => 2 hours
    h4Z7p8d0x3w1 => 6 days
    h4Z7p8d0x3w1bd => 2 years

    --
    Atari rules... ermm... ruled.