A team of security researchers at Dashlane, a password security company with similar services like Lastpass, has analyzed close to 50 online services on their password practice. They’ve analyzed big companies like Spotify, Uber, GoDaddy, etc. and let’s say they’re not all quite as secure when it comes to their password policies.
They broke down their analysis into five key points that every good and secure password policy should have. Of all analyzed companies, GoDaddy, an online webhosting and domain service provider, came out as one of the most secure ones while popular giants like Netflix, Spotify and Uber came out as the worst.
The five key points researchers tested for were:
Is there a long 8+ character password required? The longer the password, the better. Longer passwords require more time from the hackers to try and crack the password should they brute-force it or find out the encrypted hash.
Does the website require alphanumeric characters? A combination of letters, numbers and symbols are absolutely vital for a good password. The more characters that can be used, the more time a hacker needs to guess it.
Does the website have a password assessment tool? Some websites provide a password assessment tool so that, upon creation of your account or upon changing your password, you can check how safe your password actually is. If this is not provided, you can always use the free service (also sponsored by Dashlane) called HowSecureIsMyPassword.
Does the company have measurements against brute-forcing in place (10+ tries)? Brute-forcing is a technique where hackers try all the possible passwords until they have found the correct one. Websites can provide things like reCAPTCHA‘s, account lockouts or two-factor authentication to prevent this from happening.
Is there an option for 2-factor authentication? Two-factor authentication is something fairly new in the security world, that is, in it’s current most common form (via an app). This security measurement requires the user to provide an extra password (often a 6-digit code) that changes every minute, even when the user logged in with a correct password.
Lax Password Policies
The researchers were shocked to find out how bad the policies on these popular services really are. Here are some of the facts.
The team was able to create the password ‘aaaa’ on Spotify and Netflix.
They were able to create passwords with nothing else but a’s on services like Amazon, Instagram or LinkedIn
Giants like Apple, Google and Dropbox did not have any measurements against brute-forcing.
The only services with a perfect score were Stripe, QuickBooks and GoDaddy.
The underdogs were Netflix, Spotify, Pandora and taxi-service Uber.
Pablo is the Founder and head researcher at Brussec Security. Being obsessed with cyber security for as long as he can remember, he now strives to make the internet a safer place.