NEW YORK – Dashlane’s second Password Security Roundup examined over 80 of the web’s most popular sites in the aftermath of Heartbleed. It found that 86% of these websites had subpar password security policies. Many failed to implement even the bare minimum standard security practices, leaving consumer data across the web dangerously susceptible.

The Roundup was comprised of 22 password criteria that Dashlane identified as critical to password security. Each criterion was given a +/- point value, leading to a total possible score of between -100 and +100. A score of +50 is Dashlane’s minimum suggested requirement for good password practices. This study is a broader follow-up to Dashlane’s first study conducted in Q1 2014.

Apple had the highest rating and was the only website to receive a perfect score, as they also did in Q1. Hotmail was second, while Microsoft Store and UPS tied for third place. Other sites receiving passing scores included Target, GoDaddy, and Yahoo Mail, among others. received the lowest score, while Hulu and Overstock tied for second worst. Amazon, Groupon, Orbitz, US Airways and Victoria’s Secret were also among the lowest ranked sites. Several sites that store their users’ credit card information, including Gap and Airbnb, only required a 5 character password, and in fact, Fab, 1800Flowers and allowed users to create new accounts using only the letter “a” as the password.

Other key findings:

  • 86% did not meet the threshold for adequate password policies (i.e. a score of +50), including:
    • American Airlines, Evernote, Expedia, Kayak, LivingSocial and Ticketmaster
    • 53% of the sites received negative scores
    • 51% did not lock accounts after 10 incorrect password attempts
    • 43% accepted the worst passwords on the web, such as “123456”, including:
      • Delta, Dropbox, Hulu and Walmart
      • Specifically, 48% allowed users to use “password” as their password

The full study results, including an interactive data table and embeddable media, can be found here:

Dashlane examined sites in six categories: Dating, E-commerce, Security, Productivity, Social Utilities and Travel. The Roundup found that Security (-5), Travel (-17) and Dating (-23) had the lowest average scores.

Toys”R”Us had the largest score increase from the Q1 Roundup, improving from (-60) to (+50). They implemented a number of simple changes to their password policies, which greatly improved security for their users.

These changes included:

  • Increasing the minimum required password length to 8 characters
  • Making alphanumeric and case-sensitive passwords mandatory
  • No longer accepting the 10 most common passwords
  • No longer sending user passwords in plain text emails

Unsafe Practices

Although most sites instructed their users to change passwords following Heartbleed, they did not strengthen their own inadequate and unsafe password policies. Dashlane compared the Security Scores of the sites in the Roundup with average password strength on these sites.

password security

A clear pattern emerged, showing that users’ password strength correlated to a site’s security score. In other words, tougher password requirements meant stronger and more secure passwords.

It goes without saying that the weaker the password, the more exposed a users’ personal and financial data is. Passwords are the first line of defense for every user of the Internet. The failure of web sites to not require more secure passwords means they are knowingly making their users more susceptible to hackers and malicious software.

Additionally, 51% of the top sites do not lock users’ accounts after repeated incorrect logins. One of the favorite methods utilized by hackers is to password guess using commonly used passwords. All a hacker needs is a list of emails and a list of common passwords (both easily found with a quick search), and they can easily code an automated program to push millions of email-password combinations into login screens.

By simply blocking an account after a few failed entry combinations, websites could prevent hackers from stealing data using this practice. The following are just a few of the more well-known sites which do not lock users’ accounts after 10 failed access attempts:  Amazon, Gmail, Evernote, eBay and Nike.

Simple Solutions

Dashlane suggests that websites adopt the following password security measures at a minimum:

  • Minimum password length of 8 characters
  • Alphanumeric and case-sensitive passwords
  • Email confirmations for password changes
  • Do NOT accept the 10 worst passwords on the web
  • Do NOT allow login attempts after 10 incorrect password tries

Dashlane CEO Emmanuel Schalit elaborated on these practices:

Companies and websites have no excuses for their poor password policies. Implementing strong password policies is extremely cheap and can easily be done with readily available open-source technology.

Our study found a clear and direct correlation between a website’s password requirements and the average strength of a user’s password. Sites that require more complex passwords have users with greater password strength. Passwords are the first line of defense in protecting private personal and financial information on the web, and weak password requirements end up leaving all of us more exposed.

The full study results, including data and embeddable media, can also be found at