An analysis of 48 popular websites determined that 46 percent of consumer services sites and 36 percent of enterprise or business services sites had "dangerously lax" password policies that failed to enforce even some of the most basic security requirements.
Dashlane, a password manager app and secure digital wallet provider, conducted the security assessment, publishing the results in its 2017 Password Power Rankings. The evaluation does not comprehensively cover all aspects of password management, nor does it take into account certain technologies and techniques companies can use to reduce risk of credentials compromise. Nevertheless, it does provide a snapshot of which companies have more stringent user password requirements and which are more laissez-faire about it.
The analysis judged websites' password policies based on five criteria: a minimum threshold of eight characters in a password, mandatory use of alphanumeric characters (not just numbers), a password strength assessment display during account creation, an account lockout feature to prevent brute force attacks, and support of two-factor or multi-factor authentication. Altogether, 21 out of the 48 studied websites, or roughly 44 percent, failed the evaluation because they met fewer than three of these stated benchmarks.
Of the 37 sampled consumer websites, only GoDaddy met all five standards, while QuickBooks and Stripe were the only two business services websites out of 11 to achieve all five criteria. Netflix, Pandora, Pinterest, Spotify, and Uber fared worst of all in the assessment, failing to meet even one of the five standards.
In an email to SC Media, an Uber spokesperson defended the company, noting that there is more to website security than five simple credential policies.
"This report reflects an unsophisticated understanding of account security and authentication," said Melanie Ensign, head of security and privacy communications at Uber. "Experts agree that the most important thing about your password is that it's unique to you and not used on any other accounts. This is where password managers provide the most value because it's hard for people to keep track of unique passwords for all their online accounts."
Ensign also noted that Uber and other tech companies automatically employ risk-based authentication solutions that leverage machine learning techniques to protect user accounts. "For example, if someone tries to log in to your Uber account with your password using a different device, we'll automatically issue a second factor to make sure it's really you," said Ensign.
SC also reached out to the other companies whose websites scored a zero in the rankings.
According to Dashlane, the lack of an on-screen password assessment tool was the most commonly ignored criteria, with 76 percent of consumer sites and 72 percent of business services sites failing to implement one.
In a particularly salient example of sub-standard credentials management, Dashlane said it was able to create passwords "using nothing but the lowercase letter 'a' on several notable sites, including Amazon, Dropbox, Google, Instagram, LinkedIn, Netflix, Spotify, Uber, and Venmo." Moreover, its researchers were able to create Netflix and Spotify accounts using only "aaaa" as a password.