Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com)

Posted by BeauHD on from the password-practices dept.

Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.

4 of 127 comments (clear)

  1. Uh by sexconker · · Score: 5, Interesting

    Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?
    Which is it?

    (Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)

    1. Re:Uh by jareth-0205 · · Score: 5, Insightful

      Tell me oh massive brained one, how many passwords do you hold in your head? And how many will you still know in a year's time when you haven't used some of them for a while? Also, how many do you think you'll be able to hold in your head when you're 60? 70?

      Passwords are a terrible solution for security, and a solution that we've never as a species had to deal with before. Remembering something that has absolutely no margin for error is hard for squishy brained organisms to do. Password managers are a solution but not exactly a widely spread well-known one, and they have their own issues.

      Also, in your better-than-thou rant you haven't taking into account that worldwide security measures have to *work with stupid people too*. Someone who isn't too clever deserves decent security too, not just you and your Mensa brethren.

  2. Stupid Admins by Anonymous Coward · · Score: 5, Insightful

    You can rant about stupid users all you want, they are the users you have. If you have rules that are not reasonably executable by the average user, then your rule is stupid.

  3. THE solution: expiry depends on complexity by Gunstick · · Score: 5, Interesting

    Hi

    you chose a password, there is a calculation performed how long a brute force/dictionary attack will take.
    Your password will expire after this time.
    Calculate the time using this calculator (take the botnet time): https://password.kaspersky.com...

    thisisanicepassword => 3 days
    this is a nice password => 40 years (maybe maximize on a top limit)
    12345678 => 1 second
    one two three four => 3 years
    correcthorsebatterystaple => 5 years (hmm, maybe they should add that to an exception list)
    h4Z7p8d0 => 51 seconds
    h4Z7p8d0x3 => 2 hours
    h4Z7p8d0x3w1 => 6 days
    h4Z7p8d0x3w1bd => 2 years

    --
    Atari rules... ermm... ruled.