Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com) 17
Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.
Uh (Score:4)
Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?
Which is it?
(Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)
Re: (Score:2)
more2rival+Relish
Re: (Score:2)
minimum length
What would be cool is minimum keystrokes instead. That way one could have a couple backspace in the password. Try to rainbow table that!
Re: (Score:2)
Didn't we just have a (absolutely stupid) story about how password complexity rules are bad? Which is it?
(Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)
To clarify, the author of complex password policies that have lasted 15+ years had regret for one reason; the rules were too complex for users. In other words, he underestimated just how stupid and ignorant the masses are.
Force complex passwords? Users write them down. Every time. And "hide" them in the same stupid place.
Don't force complex passwords? Users create shitty passwords, and the Top 10 Shitty Passwords in 2017 are the same Top 10 Shitty Passwords used in 1987.
Force password changes? Users
Re: (Score:2)
> Force password changes? Users change from Password1 to Password2. You'll be able to guess their password 5 years from now.
That is why I append a 4 digit to the passphrase, of the format MMYY, of when the password expires as a mnemonic for when it expires.
Your crappy "password1" becomes "password0817"
Good luck guessing the first part -- the pass phrase, along with the second part -- when it expires.
> The problem isn't password policies;
Incorrect. I've seen sites where they had a maximum password len
U2F to the rescue! (Score:2)
Passwords not usually the only way in (Score:1)
Many websites have good password policies - however, too many of them have entirely vulnerable account/password recovery systems.
I am reminded of this story about a clever attacker who convinced GoDaddy to let them into the victim's account by means of the last four digits of a credit card number provided over the phone by PayPal's recovery process: https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd
Securing a site against password-based attacks is a solved problem. Figuring out what to
Worst that can happen (Score:2)
If said someone reuses their password across sites, it can be real bad, but password formation rules are useless against that type of bad password management, you can have the strongest password ever create by man, if you use the same across all your accounts and one dumb webmaster decides to save password as plain text and get invaded, you are fucked the same way!
So child