Which of your favourite websites are terrible at passwords?

Shocked man. Image courtesy of Shutterstock

Shocked man. Image courtesy of ShutterstockMatch.com, you might be one of the biggest dating sites out there, but you’re breaking our hearts.

The site came in dead last in the latest password security roundup done by password management firm Dashlane.

The company’s scale can reach 100 – that’s where you’ll find Apple – but Match.com rated -70.

How does a site achieve such a password fail?

First, like Match.com, it accepts utterly lame passwords. Like, say, “password”!

In fact, 43% of the sites Dashlane rated let their users register passwords like “Qwerty”, “123456”, “11111”, “monkey”, “abc123”, or “letmein”.

Another 51% of sites just sit back and let attackers bombard them, failing to lock the accounts after 10 incorrect login attempts.

We’re talking about you, Evernote, AirBnB, Amazon, LinkedIn, and the o-so-recently hacked eBay.

Another 66% of sites don’t require alphanumeric passwords.

Out of the 83 most popular sites on the web that Dashlane checked out, 86% had a security score of less than 50, which is the base score for an adequate security policy.

Here’s a list of the weakest sites:

  • Victoria’s Secret (-45)
  • US Airways (-45)
  • Orbitz (-45)
  • Kickstarter (-45)
  • Groupon (-45)
  • Amazon (-45)
  • Fab (-50)
  • Overstock (-55)
  • Hulu (-55)
  • Match.com (-70)

Dating sites had an average score of -23, with scores ranging from -2.5 to Match.com’s -70. Can we trust them with our love lives if we can’t trust them with our security?

Travel sites had an average score of -17. Dashlane notes that for sites that typically store our credit cards, you’d expect password requirements to be as thorough as an airport pat-down, but you’d be disappointed.

Dashlane suggests that website owners require passwords to be a minimum of 8 characters, but that sounds short to me. The more characters the better, so why not set the minimum character count higher?

As it is, if websites are storing user passwords right, there’s no excuse for needlessly limiting the length of a user’s password, as Naked Security pointed out when explaining the right way to store users’ passwords.

Before Naked Security explained how to do it right, we explained how Adobe did it wrong and how that lead to its record-shattering data breach of October 2013.

At any rate, beyond minimum character count, Dashlane has these other good password tips for website owners:

  • Require alphanumeric and case sensitive passwords.
  • Send an email when passwords are changed.
  • Block the worst passwords on the web.

Facebook, for its part, actually took that last piece of advice – block the lamest passwords on the web – and gave it a neat twist following Adobe’s mega-breach.

Namely, Facebook figured out which users were employing the same login credentials on Adobe as they were on Facebook, and they locked their accounts in a closet, out of the public eye, until the password-reusing users changed passwords.

When it comes to what web users can do to keep passwords strong and secure, it’s worth using a password manager, such as LastPass or KeePass, or Dashlane itself. There are plenty out there, so spend some time researching all the options.

Password managers are great because they relieve users of the hassles of remembering scads of unique, complex passwords. We’re always nagging people about the evils of password reuse at Naked Security, and password managers are a good way to avoid this security sin.

Of course, you still have to come up with one master password, so make that one master password complex, and then keep it safe.

But we’re equal-opportunity naggers. In fact, ditching password reuse is just one of our 3 essential security tasks.

So while you’re fixing your passwords, please do the other 2 tasks as well.

And to stay on top of data breaches at your favourite sites or anywhere else, consider joining up with Naked Security on our Facebook page.

Image of shocked man courtesy of Shutterstock.