Websites with Best and Worst Password Security -- Study
By Ma Evelyn Castino Quilas | May 22, 2014 11:06 AM EST
Apple, Hotmail, Microsoft Store, and UPS are the internet sites with the best password security while Match.com, Amazon, Groupon, US Airways, and Victoria's Secret are among the sites with the worst password security according to the second password security roundup conducted by Dashlane.
The study conducted after the Heartbleed bug erupted examined 22 password criteria that are critical to password security from more than 80 most popular internet websites. For each criterion a +/- point value was scored with the highest possible score as +100 and -100 as the lowest score. A score of +50 was set as the minimum requirement for good password security. The Web sites examined fall under the six categories, namely: Dating, E-Commerce, Security, Productivity, Social Utilities, and Travel.
The study further revealed that 86 percent of the internet sites did not meet the minimum requirement score for adequate password policies leaving internet users highly susceptible for internet threats. Among the popular sites that scored way below the threshold level are AOL, Best Buy, Gmail, Groupon, LinkIn, eBay, Skype, Twitter, Craiglist, Facebook, Pinterest, and United Airlines.
There are also 53 percent of the internet sites who got negative scores in the study. Among them are Amazon, American Airlines, Dropbox, Fab, Gap, Groupon, Home Depot, Victoria's Secret, and Walmart.
Furthermore, 51 percent of the internet sites such as Gmail, Amazon, eBay, and Nike did not lock the user's account after 10 incorrect password attempts. This unsafe practice allows hackers to guess the password using commonly used passwords, input them into the log-in screen, and steal user's data.
The study also revealed that 43 percent of the internet sites like Dropbox, Walmart, and Delta accepted the worst passwords such as "123456." There are also 48 percent of the internet sites that accepts "password" as the password inputted by users. Among these sites are Amazon, American Airlines, Dropbox, eHarmony, Fab, Gap, Home Depot, JetBlue, Match.com, US Airways, Ticketmaster, Walmart, and Christian Mingle.
There are even Web sites that allows users to create new accounts with just letter "a" as the password such as Fab, 1800Flowers, and Match.com.
In a Dashlane press release, it was also mentioned that there are Web sites like Gap and Airbnb that store their user's credit card information and only required a five character password. These practices leave their consumers at high risk for credit card fraud.
Dashlane pointed out several suggestions to address the password security problems that most companies faced. Among the suggestions are using 8 characters as minimum password length, using alpha-numeric and case sensitive password, setting up email confirmations for password changes, not accepting the 10 worst passwords on the web and not allowing login attempts after 10 incorrect password tries.
To see the password security scores of the internet sites included in the study, visit https://www.dashlane.com/securityroundup.
To contact the editor, e-mail: