August 14, 2017 By Douglas Bonderud 3 min read

How secure are web services? A new study conducted by password management service Dashlane analyzed 40 popular online portals and found that, in most cases, password policy doesn’t match expectations of consumer protection.

Using a set of five sample rules, the Dashlane study found that most companies came up short in at least one area — with some even allowing abysmal password options such as “aaaa” to access user accounts. Here’s a look at the breakdown.

Breaking the Rules

As noted by Bleeping Computer, Dashlane used five rules to evaluate password protection potential:

  1. Does the website require user passwords of at least eight characters?
  2. Does the site require a combination of letters, numbers and symbols?
  3. Does the website offer an on-screen password strength meter?
  4. Does the site provide brute-force protection?
  5. Does the service provide two-factor authentication?

Of all services surveyed, only Stripe, QuickBooks and GoDaddy came up with all five, while popular sites such as Amazon, Dropbox, Google and LinkedIn struggled in specific areas. For example, Amazon and Google let researchers create passwords using only the lowercase letter “a,” while Netflix and Spotify allowed “aaaa” as a viable password.

Other sites, such as Twitter, Venmo and Walmart, didn’t offer brute-force protection, and the study found that 51 percent of consumer sites did not require passwords of eight characters or more. Also worth noting? Seventy-six percent of consumer sites and 72 percent of enterprise sites did not have on-screen password strength meters, while 32 percent of consumer sites lacked two-factor authentication.

Taking a Pass on Passwords

Ubiquity and ease of use means that despite inherent security flaws, passwords aren’t going anywhere — but a shift is underway. For example, Popular Science recommended that users avoid passwords such as “123456” or “password,” both of which made the list of most popular passwords in 2016. It then suggested that a solid password policy should require at least 10 characters.

But according to The Verge, password guru Bill Burr, who popularized password practices such as using numbers and special characters, said that these methods actually aren’t that effective when it comes to keeping accounts safe. Despite calls for random, character-variable passwords, users often employ the same techniques to randomize their credentials, making it easier for attackers to gain access.

So what does a secure password look like? As noted by MSPmentor, the new NIST Special Publication 800-63 recommended that users create passwords that are unique, easy to remember and at least eight characters long. The publication also suggested that users should shelve advice about changing passwords regularly, since this requirement often leads them to choose simple passwords that are only slight variations of their original choice.

In addition, enterprises should implement password-checking technology that automatically rejects common passwords. There’s also research to suggest that longer passwords containing a series of unique, memorable words offer much greater defense against automated brute-force cracking methods.

Finding the Password Policy Balance

Consumer and corporate password policies aren’t perfect. As noted by the Dashlane research, some companies come up short, and even those offering maximum protection are undermined by the inherently insecure nature of password-based credentials. Ideally, web services and corporate portals need to find a balance between on-screen assurances of strength and password rules that help deter threat actors without unduly inconveniencing users.

For companies, this actually amounts to good news: Fewer password changes mean fewer headaches for IT experts and reduced stress on employees. Not to mention, a shift away from special character combinations gives users a better shot at coming up with something that actually offers protection.

Bottom line? Passwords such as “aaaa” are awful, but “P@s5W0rd!” isn’t much better. Letting users choose longer passwords they’ll actually remember and only demanding changes in the event of an actual breach could help shore up password policy without creating new protection problems.

More from

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today