Too many big online brands allow terrible passwords

Bad passwords, we are told with exhausting regularity, are where users consistently mess up their online security. But might big companies also be at fault for designing weak password behaviour into their websites?

As assessment of the password design of 37 well-known big online websites and apps by password manager company Dashlane ventures an answer: many sites are quite good, a few are improving, and a hard core that includes some of the web’s biggest brands, remain surprisingly sketchy.

Dashlane, it should be said, has something to gain by pointing out lousy password design because its business model is built around offering software, secure password management, that claims to be the answer.

This doesn’t disqualify the company’s findings however, which were measured against five criteria: minimum password length, the enforcement of alphanumeric passwords, whether a strength assessment is offered, resistance to brute-forcing (in other words, locking accounts after too many incorrect answers), and whether or not multi-factor authentication is available.

There’s quite a lot going on here, but let’s start with the juicy naming and shaming bit because there are some real surprises.

Scoring a fat zero out of five were Uber, Spotify, Pandora and Netflix, with Walmart, Instagram, Pinterest, SoundCloud, Evernote, Macy’s and Dropbox on 1/5. Turning to enterprise sites, things improved slightly but even here Amazon Web Services (AWS), Freshbooks, scored 1/5. With MongoDB and DocuSign on 2/5.

This means that a user can sign up for many of these sites by entering a simple password below eight characters (“aaaaaaa”, say), and it won’t object. Should an attacker try to brute-force this, failed attempts won’t necessarily prompt intervention.

There’s nothing stopping users creating long, complex passwords and using these sites more securely. The issue is these sites don’t care either way.

This sharply contrasts with GoDaddy (5/5) and Apple, Best Buy, Home Depot, Microsoft, PayPal, Skype, Toys ‘R’ Us and Tumblr (all 4/5) which enforced all or most of the criteria.

Users should be vigilant about passwords, conceded Dashlane CEO Emmanuel Schalit. Nevertheless:

Companies are responsible for their users, and should guide them toward better password practices.

He’s right, of course – sites should care when users enter weak passwords. Given how simple some of this would be to implement, it’s surprising it’s an issue at all.

Some of the sites rated weak will doubtless object that website security is more complex than these criteria suggest. They, too, are right. Multi-factor authentication, for example, is an essential layer these days but some sites implement it more securely than others. It’s not a simple tick box.

One might also quibble about the importance of whether a site tells its users that a password is or isn’t secure when this is already enforced by policy.

Some will suspect companies’ weak password policies simply betray a lack of faith in good choices, which get re-used, phished and breached. Alternatively, they just think being fussy about passwords is a barrier to attracting users to sign up for and use their services, particularly those based around mobile apps.

This is short-sighted. Good security is communicated precisely by a fastidiousness about passwords. Even as their significance as a primary security mechanism declines, deep down, people know that passwords still say an awful lot about users and the companies they are drawn to.