Dashlane’s 2017 Password Power Rankings

As a password manager, we frequently emphasize the importance of creating strong passwords to protect your data on online accounts, but are websites holding up their end of the bargain?

In our latest study, Dashlane researchers examined the password policies of 40 popular consumer and enterprise websites against five criteria. Today, we’re sharing the results in our 2017 Password Power Rankings.

In this post, you will also find:



Share this Image On Your Site

CONSUMER RANKINGS:

  • 5/5 Score (Best)
    • GoDaddy
  • 4/5 Score
    • Apple
    • Best Buy
    • The Home Depot
    • Microsoft/Live/Outlook
    • PayPal
    • Skype
    • Toys “R” Us
    • Tumblr
  • 3/5 Score
    • Airbnb
    • Facebook
    • Google
    • Reddit
    • Slack
    • Snapchat
    • Staples
    • Target
    • Twitch
    • WordPress
    • Yahoo
  • 2/5 Score
    • Amazon
    • eBay
    • LinkedIn
    • Starbucks
    • Twitter
    • Venmo
  • 1/5 Score
    • Dropbox
    • Evernote
    • Instagram
    • Macy’s
    • Pinterest
    • SoundCloud
    • Walmart
  • 0/5 Score (Worst)
    • Netflix
    • Pandora
    • Spotify
    • Uber

ENTERPRISE RANKINGS

  • 5/5 Score
    • Stripe
    • QuickBooks
  • 4/5 Score
    • Basecamp
    • Salesforce
  • 3/5 Score
    • GitHub
    • MailChimp
    • SendGrid
  • 2/5 Score
    • DocuSign
    • MongoDB (mLab)
  • 1/5 Score
    • Amazon Web Services
    • Freshbooks

Key Findings 

Share this Image On Your Site

Dashlane researchers also made note of some exceptional observations:

  • Researchers were able to create passwords using nothing but the lowercase letter “a” on several notable sites, including Amazon, Dropbox, Google, Instagram, LinkedIn, Netflix, Spotify, Uber, and Venmo.
  • Researchers also identified six websites that do not have policies to prevent brute-force attacks, including Apple, Dropbox, Google, Twitter, Venmo, and Walmart.
  • Researchers successfully created an account on Netflix and Spotify using “aaaa”.

Best Practices 

Online Security Best Practices for Consumer/Enterprise Sites Owners and Developers:

  • Make 8-character passwords the minimum
  • Require alphanumeric & case-sensitive passwords
  • Provide a meter or color-coded bar to confirm password length and strength
  • Send an email to users when passwords are changed
  • Block the most common passwords found on the web
  • Consider instituting an account lockout policy to thwart brute-force attacks
  • Support 2-Factor Authentication

Online Security Best Practices For Web Users:

  • Generate passwords that exceed the minimum of 8 characters
  • Create passwords with a mix of case-sensitive letters, numbers, and special symbols
  • Always use a unique password for each online account
  • Avoid using passwords that contain common words, phrases, slang, places, names, etc.
  • Use a password manager to help generate, store, and manage your passwords


Methodology

From July 5 – July 14, Dashlane researchers examined 37 popular consumer websites and 11 popular enterprise websites against five password security criteria:

  1.  Does the website require users to have passwords that are 8 or more characters?

When creating a new account on each website, Dashlane researchers attempted to create passwords less than eight characters irrespective of the sites’ stated minimum password requirements.

  1.  Does the website require users to have passwords with a combination of letters, numbers, and symbols?

When creating a new account on each website, Dashlane researchers attempted to create passwords with all letters (“aaaaaa”) or numbers (“111111”).

  1.  Does the website provide an on-screen password assessment meter to show users how strong their password is?

When creating a new account on each website, we wanted to see if the site provided any notification, such as a meter or color-coded bar, they were credited as providing an assessment. Sites that only provided confirmed password length or where requirements were met did not receive credit.

  1.  Does the website allow 10 incorrect login attempts without providing additional security (CAPTCHA, account lockout, 2-Factor, etc.)?

Dashlane researchers attempted to log in using incorrect passwords. If the tester was able to continue entering incorrect credentials after 10 attempts without receiving any security mechanism, such as a CAPTCHA code or the account automatically locking, the site did not receive credit.

  1.  Does the website have support for 2-Factor Authentication?

A website was given credit if they offer any two-factor or multi-factor authentication.

A site received a point for each criterion they performed positively, for a maximum, and top score, of 5. A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security.