Some insights into how well different cloud vendors enforce good password policies

Some interesting insights today from Dashlane, the password management vendor, who ran a review of a bunch of different consumer and enterprise websites to assess how well (or not) they ensure that their users utilize good password practices.

To determine the ranking, Dashlane researchers examined sites against password security criteria, such as requiring eight or more-character passwords with a combination of letters, numbers, and symbols, and offering two-factor authentication. A site received a point for each test where it performed positively, for a maximum, and top score, of five.  A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security (complete methodology below).

While some might argue about the finer details of the review methodology, the fact is that by applying a consistent measure across disparate sites, Dashlane provides us with an interesting relative, if a slightly flawed absolute, measure.

You’d be excused for thinking that, in this day and age where the perils of poor password security were seemingly well known, and well demonstrated, that all services would put this front and center of their priorities. Alas, that is not the case and there are some pretty dismal findings.

Dashlane found that that almost half (46%) of consumer sites, and 36% of enterprise sites, failed to implement the most basic password security requirements. In addition, the most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane’s tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter “a” on some of the more popular websites or services. To its credit, GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5.

The rationale for creating the report has lots to do with subtly advocating for password management products like Dashlane, but beyond the obvious vested interests, Dashlane’s CEO, Emmanuel Schalit articulates a more altruistic reason:

We created the Password Power Rankings to make everyone aware that many sites they regularly use do not have policies in place to enforce secure password measures. It’s our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account. However, companies are responsible for their users, and should guide them toward better password practices.

And so to the rankings, directly from the horse’s mouth, as it were…

Consumer tools

• 5/5 Score (Best)
  • GoDaddy
• 4/5 Score
  • Apple
  • Best Buy
  • The Home Depot
  • Microsoft/Live/Outlook
  • PayPal
  • Skype
  • Toys “R” Us
  • Tumblr
• 3/5 Score
  • Airbnb
  • Facebook
  • Google
  • Reddit
  • Slack
  • Snapchat
  • Staples
  • Target
  • Twitch
  • WordPress
  • Yahoo
• 2/5 Score
  • Amazon
  • eBay
  • LinkedIn
  • Starbucks
  • Twitter
  • Venom
• 1/5 Score
  • Dropbox
  • Evernote
  • Instagram
  • Macy’s
  • Pinterest
  • SoundCloud
  • Walmart
• 0/5 Score (Worst)
  • Netflix
  • Pandora
  • Spotify
  • Uber

ENTERPRISE RANKINGS

• 5/5 Score
  • Stripe
  • QuickBooks
• 4/5 Score
  • Basecamp
  • Salesforce
• 3/5 Score
  • GitHub
  • MailChimp
  • SendGrid
• 2/5 Score
  • DocuSign
  • MongoDB (mLab)
• 1/5 Score
  • Amazon Web Services
  • Freshbooks

MyPOV

There’s not much to say other than to point out that there are a lot of massively popular websites and services that need to try much, much harder to ensure the security of their users. Sure an individual user has the responsibility for password safety, but vendors also have a very important role to play.