Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Communications Network Privacy The Internet Technology

Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com) 127

Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.
This discussion has been archived. No new comments can be posted.

Password Power Rankings: a Look At the Practices of 40+ Popular Websites

Comments Filter:
  • Uh (Score:5, Interesting)

    by sexconker ( 1179573 ) on Thursday August 10, 2017 @07:14PM (#54987495)

    Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?
    Which is it?

    (Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)

    • Re:Uh (Score:5, Insightful)

      by geekmux ( 1040042 ) on Thursday August 10, 2017 @07:41PM (#54987687)

      Didn't we just have a (absolutely stupid) story about how password complexity rules are bad? Which is it?

      (Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)

      To clarify, the author of complex password policies that have lasted 15+ years had regret for one reason; the rules were too complex for users. In other words, he underestimated just how stupid and ignorant the masses are.

      Force complex passwords? Users write them down. Every time. And "hide" them in the same stupid place.

      Don't force complex passwords? Users create shitty passwords, and the Top 10 Shitty Passwords in 2017 are the same Top 10 Shitty Passwords used in 1987.

      Force password changes? Users change from Password1 to Password2. You'll be able to guess their password 5 years from now.

      Don't force password changes? Users never change them. Ever. Even if they are a victim of hacking or identity theft, they insist on keeping the same shitty password they used in high school. If you forced them to change it, they would have to write it down.

      Sorry, but it doesn't matter what NIST or any other standard recommends; All the password rules in the world won't prevent the masses from building a better idiot.

      TL; DR - The problem isn't password policies; it's stupid users.

      • Re: (Score:3, Interesting)

        > Force password changes? Users change from Password1 to Password2. You'll be able to guess their password 5 years from now.

        That is why I append a 4 digit to the passphrase, of the format MMYY, of when the password expires as a mnemonic for when it expires.

        Your crappy "password1" becomes "password0817"

        Good luck guessing the first part -- the pass phrase, along with the second part -- when it expires.

        > The problem isn't password policies;

        Incorrect. I've seen sites where they had a maximum password len

        • by Anonymous Coward

          > Force password changes? Users change from Password1 to Password2. You'll be able to guess their password 5 years from now.

          That is why I append a 4 digit to the passphrase, of the format MMYY, of when the password expires as a mnemonic for when it expires.

          Your crappy "password1" becomes "password0817"

          Good luck guessing the first part -- the pass phrase, along with the second part -- when it expires.

          > The problem isn't password policies;

          Incorrect. I've seen sites where they had a maximum password length, usually like 8 characters. Seriously, WTF. You are _intentionally_ making your passwords insecure???

          My internet banking site makes you have an 8 character password, using numbers and uppercase letters. You can't have 7 characters, you can't have 9. It has to be 8. Furthermore, your "username" is 6 digits, no more, no less.

          • by EzInKy ( 115248 )

            Have you considered changing banks?

            • There are some advantages in having a bank with known weak security practices. If your account is ever compromised, it's really easy to argue in court that it's their liability if you can point to a dozen places where they're not following industry best practices.
              • by EzInKy ( 115248 )

                Guess that depends on how much you value your money. Personally, especially considering how much so many here harp on personally responsiblity, I'd rather not take the chance. Afterall, if you know your banks practices are weak, doesn't the onous fall on you?

            • Have you considered changing banks?

              Yes. But when only one bank has ATMs within cycling distance, that makes every other bank much more expensive: withdrawing cash costs ATM fees, depositing checks costs postage, and depositing cash costs postage plus money order fees. In the city where and years when I attended college, there was only one bank.

        • by green1 ( 322787 )

          I've seen sites where they had a maximum password length, usually like 8 characters. Seriously, WTF. You are _intentionally_ making your passwords insecure???

          I know a specific bank that has the following password rules for their online banking:
          - must be all numeric
          - must be between 4 and 6 digits long

          And this is a BANK!!!!

          Even better was when they sent out a newsletter which included a section on "staying safe online" which specified that you should always use a strong password of greater than 8 characters mixed upper and lowercase with numbers and symbols. I found that pretty ironic from a bank that won't let you use those very passwords on their own site.

      • Stupid Admins (Score:5, Insightful)

        by Anonymous Coward on Thursday August 10, 2017 @08:17PM (#54987911)

        You can rant about stupid users all you want, they are the users you have. If you have rules that are not reasonably executable by the average user, then your rule is stupid.

        • You can rant about stupid users all you want, they are the users you have. If you have rules that are not reasonably executable by the average user, then your rule is stupid.

          Cars have seat belts, and yet there are drivers that fail to use them. If drivers are too fucking stupid to protect themselves and understand the value of a seat belt, then they get what they deserve.

          Computers have passwords, and yet there are users who fail to protect them. If users are too fucking stupid to protect themselves and understand the value of protecting their identity online, then they get what they deserve.

      • by Gunstick ( 312804 ) on Friday August 11, 2017 @03:44AM (#54989453) Homepage

        Hi

        you chose a password, there is a calculation performed how long a brute force/dictionary attack will take.
        Your password will expire after this time.
        Calculate the time using this calculator (take the botnet time): https://password.kaspersky.com... [kaspersky.com]

        thisisanicepassword => 3 days
        this is a nice password => 40 years (maybe maximize on a top limit)
        12345678 => 1 second
        one two three four => 3 years
        correcthorsebatterystaple => 5 years (hmm, maybe they should add that to an exception list)
        h4Z7p8d0 => 51 seconds
        h4Z7p8d0x3 => 2 hours
        h4Z7p8d0x3w1 => 6 days
        h4Z7p8d0x3w1bd => 2 years

      • Re: (Score:3, Informative)

        by Zumbs ( 1241138 )

        To clarify, the author of complex password policies that have lasted 15+ years had regret for one reason; the rules were too complex for users. In other words, he underestimated just how stupid and ignorant the masses are.

        Force complex passwords? Users write them down. Every time. And "hide" them in the same stupid place.

        I'm registered at more than 50 sites (including work). How do you expect a sane person to remember that number of reasonably strong passwords? And change them at regular intervals?

        My point is that the strong password system may work well if you have a small number of passwords, but once the number of passwords increase beyond maybe a handful, the password system breaks. The problem is not stupid users; the problem is the notion of requiring users to remember many passwords. Something better is sorely needed

      • Corollary: a halfway decent password kept in a secure place is one that the same idiot will lose. I run into this with my IT customers all the time.

      • Well, there are password managers, of course, but most people can't be bothered. Speaking of which, there are websites which will not allow you to paste a password when you are creating the account, which of course makes it harder to use a password manager.
        • by green1 ( 322787 )

          And of course there's the sheer stupidity of storing all your passwords in one place, especially one accessible by multiple devices over the internet....

      • Re:Uh (Score:5, Insightful)

        by jareth-0205 ( 525594 ) on Friday August 11, 2017 @07:18AM (#54990047) Homepage

        Tell me oh massive brained one, how many passwords do you hold in your head? And how many will you still know in a year's time when you haven't used some of them for a while? Also, how many do you think you'll be able to hold in your head when you're 60? 70?

        Passwords are a terrible solution for security, and a solution that we've never as a species had to deal with before. Remembering something that has absolutely no margin for error is hard for squishy brained organisms to do. Password managers are a solution but not exactly a widely spread well-known one, and they have their own issues.

        Also, in your better-than-thou rant you haven't taking into account that worldwide security measures have to *work with stupid people too*. Someone who isn't too clever deserves decent security too, not just you and your Mensa brethren.

        • by Ken D ( 100098 )

          There was one website that I only needed to visit once a year to download my annual tax form, their passwords expired in some time less than one year, so every time I visited my password was expired and needed to be reset.

          So... you need to choose a hard password, that you will use exactly once, a year from when you choose it. ha!

          • I remember reading an article once that was talking about how important your email password (and security of whatever email provider you have) is. It's basically the easy backdoor to almost everything we have online because pretty much everything uses email as a forgot password - so if someone gets into your email they can reset absolutely everything. Scary as fuck... and yet that's one of the ones that many probably don't usually use the crazy-complex passwords for because 'it's just email'.

          • by green1 ( 322787 )

            Yup, I have a lot of sites where my password is simply to hit the "forgot password" link. There's no point in even trying to remember the password on any site where the password expiry is more frequent than my visits to the site, or where I visit the site less frequently than once every 6 months or so. I'll use a strong password, that I can re-type once when entering it, after that it's gone from my memory.

          • by tepples ( 727027 )

            so every time I visited my password was expired and needed to be reset.

            Some sites are in fact using passwordless login [auth0.com], which is equivalent to resetting the password on every login.

        • Tell me oh massive brained one, how many passwords do you hold in your head? And how many will you still know in a year's time when you haven't used some of them for a while? Also, how many do you think you'll be able to hold in your head when you're 60? 70?

          I only know one insanely long passphrase. The rest of my passwords are unknown to me. Yes, that's correct, I don't know them. They are randomly generated and I max out the system limit every time I generate one. I use a password manager. Before they came along, I regularly managed a dozen different systems, so I got used to remembering several usernames and passwords.

          Passwords are a terrible solution for security, and a solution that we've never as a species had to deal with before. Remembering something that has absolutely no margin for error is hard for squishy brained organisms to do.

          OK, let's just stop with the species bullshit as if comparing our challenges to caveman ancestors is relevant. The concept of a password

      • by godefroi ( 52421 )

        If your password policies fail to account for reality, then they're the problem. Thus, password policies are the problem, because clearly they don't account for reality.

        • If your password policies fail to account for reality, then they're the problem. Thus, password policies are the problem, because clearly they don't account for reality.

          The reality is privacy and security is often compromised because of shitty passwords. This fact is broadcast almost every single day when we hear of everything from stolen celebrity pictures to theft of IP.

          The average user takes the time and effort to lock doors and set alarms to prevent their house or car from being broken into, but then uses the same shitty password across all banks and social media, and ignores all advice to the contrary.

          I'd say the problem is stupidly obvious, and was summarized in my

    • by GuB-42 ( 2483988 )

      (Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)

      No they are not. Checking over a list of common passwords is.
      Half of the time the rule abiding password just has an uppercase first letter and a number or symbol at the end. Yeah, it adds a bit or two of entropy but it isn't worth the annoyance.

    • (Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)

      (Hint: Two-factor authentication is so dramatically more secure that you're far better off implementing it and letting people choose the passwords they want.)

      • Hint: Two-factor authentication is so dramatically more secure that you're far better off implementing it

        Unless it's Twitter, which allows only the login method that's most expensive per use for many U.S. users.

        • YubiKey and other FIDO U2F devices: Not supported
        • Google Authenticator and other TOTP apps: Not supported [jessysaurusrex.com]
        • One-time random number through voice call: Not supported. This leaves out users of landlines or wireless home phone service.
        • One-time random number through SMS: Supported, but standard messaging and data rates apply. Cellular carriers in the United States tend to charge pay-as-you-go subscribers 10 ce
    • Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?

      No, we didn't. We got a story about how one particular guide to making strong passwords wasn't good advice after all, according to the author. That advice guided people to making short passwords that included a capital, a lowercase letter, a digit and a special character, or variations thereof, and the author conceded that allowing long multi-word passwords is actually stronger than the short obfuscated ones that he recommended many years ago.

      This story is that some sites allow you to give yourself a ridicu

    • by mysidia ( 191772 )

      Tested by creating a new account on each website. Researchers attempted to create passwords with all letters (“aaaaaa”) or numbers (“111111”).

      Traditional Complexity rules ARE bad. Dashlane has a product to sell, and I'm beginning to think dashlane themself is a bad actor, because of the PR promoting whatever they think websites should enforce upon their users to encourage them to use Dashlane's password manager product.

      • by tepples ( 727027 )

        Traditional Complexity rules ARE bad.

        Would it be bad to retain the "must contain a letter" rule if the password is long enough? This RC car shop [philshobbyshop.com] has these rules: 8-15 characters with at least 1 letter and 1 digit, or 16+ characters with at least 1 letter.

        • by mysidia ( 191772 )

          Would it be bad to retain the "must contain a letter" rule if the password is long enough?

          Yes, because strong passwords don't need to use a letter, And if you estimate entropy PROPERLY, then
          there's no reason for the restriction --- it's just spurious.

          • And if you estimate entropy PROPERLY

            What's "properly"? Kolmogorov complexity isn't tractable to compute.

            • Does Kolmogorov complexity adequately describe what users actually choose as passwords when "complex" password rules are imposed? Most people will do something easy to remember involving pet and kid names mixed with birth dates and a few obvious special character substitutions, or variations on that theme. This should be your expectation when attempting to estimate the entropy in your passwords.

    • by hackel ( 10452 )

      Heh, thank you for posting exactly what I intended to when I read this article, even including the "Uh." These people are quite clueless.

    • Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?

      Why is this idiot at +5?

      I wonder which one [github.com] he is responsible for.

    • (Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)

      Comparing against a blacklist of common passwords, and having a few modest length requirements (and maybe an entropy counter), are good rules. I'm not convinced that complexity rules are.

      I used to work at GoDaddy. The security tutorial I had to pass on my first day actually recommended satisfying the "mixed-case/symbol" requirement by starting with an initial capital letter and ending with an exclamation p

  • Passwords need to not be a single dictionary word or name followed by a one followed by an exclamation mark with the first letter capitalized. The really stupid thing to do is issue requirements for including upper case, lower case, numbers, special symbols, etc. and then often within a lower or upper limit and then with symbol restrictions. If a password can't be memorized, it's useless. The only thing that should be mandatory is that the password be long (passphrase), complicated, or both, and perhaps tha
    • by Nartie ( 1128613 )
      I once tried to create a password on a site with some very complicated password rules. it rejected all of my 30 character random passwords no matter what I did to the generator. So I gave up and called tech support. It turns out that there are two sets of complicated password rules, and the one published on the web site is very wrong. For example, you had to use a special character. The web site helpfully listed half a dozen, but only three of them worked. My final password was only marginally better th
  • U2F to the rescue! (Score:5, Informative)

    by icknay ( 96963 ) on Thursday August 10, 2017 @07:28PM (#54987603)
    If you really want it locked down, U2F (2FA device standard) is the way to go. Currently only supported by technically leading sites: google, facebook, github, but jeez it's such a huge improvement over passwords or password managers. One neat side effect of U2F is that with it in place, the password can be super simple, since with U2F the password is not very important. See the U2F FAQ: https://medium.com/@nparlante/... [medium.com]
    • by Average ( 648 )

      U2F really does whip the proverbial llama's ass. I wouldn't say, though, that your password is 'not very important'.... your password is still your second factor for a lost/stolen U2F key.

      It is slowly gaining market share. One major financial firm (Vanguard mutual funds/brokerage) has enabled U2F logins, hopefully more to follow.

  • by Anonymous Coward

    Many websites have good password policies - however, too many of them have entirely vulnerable account/password recovery systems.

    I am reminded of this story about a clever attacker who convinced GoDaddy to let them into the victim's account by means of the last four digits of a credit card number provided over the phone by PayPal's recovery process: https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd

    Securing a site against password-based attacks is a solved problem. Figuring out what to

  • by esperto ( 3521901 ) on Thursday August 10, 2017 @07:55PM (#54987755)
    The worst that can happen if some "bad guy" finds out someones netflix account is to make a mess on episodes that were seen/not seen.

    If said someone reuses their password across sites, it can be real bad, but password formation rules are useless against that type of bad password management, you can have the strongest password ever create by man, if you use the same across all your accounts and one dumb webmaster decides to save password as plain text and get invaded, you are fucked the same way!
    So children, use password managers, you can use the most simple of the passwords for your logins (albeit with a manager that would be dumb), as long as you use a different one for each.

  • How could I ever avoid using 'a' as a password without a dozen BS rules that are different on every fucking site?

  • Sites "failed Dashlane's tests." Good for them. Recent analysis by real cryptographers shows that password rules are worse than no rules.

    And now we have "Dashlane", a nobody who wants to "grade" sites on their "password creation policies."

    https://xkcd.com/936/ [xkcd.com]

    Bye Dashlane and stop it with your self-serving PR memos. You are a disservice to oxygen-breathing password-users.

    E

    • by bussdriver ( 620565 ) on Friday August 11, 2017 @01:16AM (#54989121)

      Requiring UPPERCASE doubles the space while 0-9 only adds 10 digits. It would be better to require mixed CASE than to require digits.

      Also, requiring a symbol then allowing ANY symbol would expand the space to typical symbols people use... probably only about 8 symbols cover 90% of passwords. A full brute force would expand to nearly all of unicode! Emjoii included.

      Requiring a SPACE might only add 1 digit but it would hint to people to add a whole WORD and I bet you get more in practice than requiring digits.

      Strength tests should include the domain name because I've seen some lists where the domain name was used. My own investigating found people will use dates, names, initials, their PIN #, phone, even part of their email address. That kind of easily guessed stuff does not show up in these checkers OR in the stats gathered from break ins. Sites really should not create an account password UNTIL you enter all your account information. The session ID is good enough for tracking logins it surely is good enough to setup an account before creating a password and account name. Everybody does it backwards.

  • by swell ( 195815 ) <jabberwock@poetic.com> on Thursday August 10, 2017 @09:06PM (#54988235)

    I have a two character password for one important account. It wasn't important 15 years ago when I created it, but grew in value. Perhaps I should change it, but then I'd be among the millions of others using this service with 8+ character passwords. I'm pretty sure that if a hacker looked at my 2 character password, she would just assume that it was a fragment of some code.

    "GoDaddy emerged as the only consumer website with a perfect score" - I hope they've improved; for years they consistently locked me out of my account, requiring calls to tech support. There is a practical limit to the number of obscure requirements for account access. Other companies require phone confirmation (I won't give them my phone #), email or text confirmation, etc. Is it necessary or simply a means to gather more marketable information about users?

    Then there are companies who insist that your username or password is incorrect. Yes, the one you've been using all along. You have to go and create a new one (again, wait for a code via email). Then, when you use the same password, the system says you are not allowed to use the same password (it knew you had the correct password all along!). Somewhere behind the scenes is an Eichmann who delights in torturing users.

  • by FeelGood314 ( 2516288 ) on Thursday August 10, 2017 @10:15PM (#54988587)
    Seriously fuck you Help Net Security. I really don't care about the security of most sites enough to have to memorize a unique password for them and most sites actually do understand this. Further if it is a site that I do care about the security I want to be able a secure password that I can remember. TR0b@dor is hard as hell for me to remember and will likely be in the first million passwords a cracking program will try. Second for an online attack you need enough entropy to stop an attacker who is rate limited. So 2^30 is likely strong enough (that's 3 common English words). If someone gets your salted hashed password file you are going to need 2^60 bits of entropy. 6 English words. Making be choose a password that is anywhere between those two lengths is either a waste of my time or insufficient security.
    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Friday August 11, 2017 @02:15AM (#54989241)

      Seriously fuck you Help Net Security. I really don't care about the security of most sites enough to have to memorize a unique password for them and most sites actually do understand this. Further if it is a site that I do care about the security I want to be able a secure password that I can remember. TR0b@dor is hard as hell for me to remember and will likely be in the first million passwords a cracking program will try. Second for an online attack you need enough entropy to stop an attacker who is rate limited. So 2^30 is likely strong enough (that's 3 common English words). If someone gets your salted hashed password file you are going to need 2^60 bits of entropy. 6 English words. Making be choose a password that is anywhere between those two lengths is either a waste of my time or insufficient security.

      Exactly.

      Your website may not be important to me, so I won't give it a very important password. It may be important to you, but not to me. Especially if you insist on a username and password to do the most basic things.

      You want me to log in to download your free software? Sure, I'll create an account - with a wimpy password. I don't care if that software is your heart and soul and you missed your mother's funeral to release it on time. I just want the file.

      You want me to log in to comment on your article? Well, ditto. Same for forums as well.

      Hell, I fully expect those sites to be hacked, so why use a strong password? Might as well just make it "password" and be done with it - if someone's downloaded the password file then they have all the time in the world to crack it. I might as well assume your site has vulnerabilities that make it easy to steal the password file.

      Oh yeah, my Paypal, Amazon and bank passwords? They're nice and secure.

      • by green1 ( 322787 )

        This is the biggest thing about security of websites. If your site doesn't handle my money, or my real life reputation, then it doesn't need a secure password.
        Imagine if every single store you ever visited required you to sign up with all your personal details and carry around a user card before you could walk in the door? Sure you'd put up with it for your favourite grocery store, the local hardware store, and maybe 1-2 others, but you'd quickly say enough is enough and just avoid the mall. The web is incr

        • Yeah at least when sites have custom logins the profile stays there, more and more are asking to log in via social media or gmail account... why would I want to link anymore information about be on the internet than absolutely necessary?
  • by Tony Isaac ( 1301187 ) on Thursday August 10, 2017 @10:27PM (#54988643) Homepage

    I've lost track of how many passwords I have on various sites. Each site has its own rules, that conflict with each other. There's no way I can remember them all. So what do I do? I send myself emails with password hints for each site, or save a list in a password-protected document, or let Chrome remember it, or write them on a sticky note.. If somebody figures out a way to hack Chrome's password vault, a LOT of people are in trouble! Somebody DID hack LastPass.

    When building security is very tight, and there's a need for a plumber to come and go, what do they do...somebody props open a door, of course! Passwords are no different. If you make them too hard, people take measures to remember them--measures that make them less secure than if the rules weren't there in the first place!

    • I've got a password protected file with login and password hints for a couple dozen sites in it. Not the frequent ones like amazon or my banking, the infrequent ones that I need like once every year or so. Car insurance website with the bizarrely shitty requirements where only some subset of the symbols are allowed, and some other crazy requirements. Student loan login so I can get my interest statement for taxes. I find that it's invaluable when I go to log in each year, as if I can at least remember the l

  • Shock as sites designed for professional use leave responsibility for choosing secure password to their clients!
  • by account_deleted ( 4530225 ) on Friday August 11, 2017 @05:29AM (#54989689)
    Comment removed based on user account deletion
  • by arobatino ( 46791 ) on Friday August 11, 2017 @05:38AM (#54989723)

    It's more important that a site allow strong passwords, by having long or no length limit, and no character restrictions. Amazon, Google, and LinkedIn, for example, may allow weak passwords, but unlike many sites, they also allow very strong passwords (no length or character restrictions AFAIK). If someone doesn't want a strong password (for example if they insist on trying to remember dozens of different passwords instead of using a password manager) forcing one will just make them write it on a sticky pad. Which may or may not be OK, depending on whether it's a secure environment.

  • The testing criteria is flawed.

    If websites did their security right, there is no issue with it just being "a".

    Once you salt, pepper, and hash that letter it becomes just as tricky to hack as "h&t3)__ner!1" -- 64 digits of random looking hex.

    A real indicator of a website's bad password storage is if there is a character limit. If they only allow password that are 12 characters or fewer, then you know they are saving the password in a recoverable format. You should also try doing a "Forgot Password"; if t

  • 8+ - Good
    Alphanumeric required - Bad, you allow the attacker to skip testing all alpha-only / numeric-only passwords.
    Password strenght meter - We all know they don't work
    Logins cannot be brute forces - OK
    2-FA auth - doesn't have much to do with passwords

You know you've landed gear-up when it takes full power to taxi.

Working...