Some favorite apps and websites have poor security controls that allow consumers to create pretty terrible passwords that leave them vulnerable to hackers, according to a new study from password management company Dashlane.
Companies like Netflix and Spotify have “dangerously lax” policies, that allow subscribers to create passwords with fewer than eight characters, or ones that are all letters or all numbers like “aaaaaa,” or “111111,” Dashlane said in a report published Wednesday. The company’s researchers tested 37 consumer and 11 enterprise sites and apps from July 5 to July 14.
They also checked to see if a website at least made it harder to use “brute force” to figure out your password – where a hacker (or computer bot) keeps entering new passwords until they find the right one. New York-based Dashlane researchers tried to log in more than 10 times with incorrect passwords and if they weren’t dealt “any security mechanism, such as a CAPTCHA code or the account automatically locking, the site did not receive credit.”
CAPTCHA codes require a user to manually enter a random phrase or characters to verify that they aren’t a computer. More advanced tests require a user to pick out an item like a car or street sign out of a set of random photos.
Dashlane researchers found that 46 percent of consumer, and 36 percent of enterprise sites and apps it tested “failed to implement the most basic password security requirements.” Only three companies got a “perfect score” on the five security criteria measured: GoDaddy, QuickBooks and Stripe.
Researchers were able to create passwords using nothing but the lowercase “a” repeatedly on sites including Amazon, Dropbox, Google, Instagram, LinkedIn, Uber and Venmo, according to the blog post published Wednesday.
In one of the most shocking observations, researchers successfully created accounts on Netflix and Spotify using “aaaa” as a password. Seriously.
Dashlane evaluated the password policies of each site or app based on whether they required passwords with eight or more characters; a combination of letters, numbers and symbols; a meter that shows a user’s password strength; and extra security measures like CAPTCHA codes or locking out the account after multiple failed attempts. Researchers also measured whether a site had two-factor authentication, like a code sent in an email or text message.
The worst offenders on the consumer side – who got a zero in all five criteria – were Netflix, Pandora, Spotify and Uber. Also bad with credit for just one out of five security measures were Dropbox, Evernote, Instagram, Macy’s, Pinterest, SoundCloud and Walmart.
Great passwords exceed the eight-character minimum, use a mix of letters, capital letters and numbers and are different for each account, according to Dashlane.
Dashlane also recommends avoiding passwords that use “common words, phrases, slang, places, names, etc.” The researchers also suggest using a password manager, which is somewhat self-serving given the fact that Dashlane is a password manager, but is also good advice.
Interestingly, the man who wrote the 2003 primer that has defined password rules for corporations, government agencies and the military now thinks he totally got it wrong, he told the Wall Street Journal recently.
Bill Burr, who wrote the guidelines when he was at the National Institute of Standards and Technology, advised people to make up complicated passwords with capital letters, special characters and numbers. He also said people should change them often.
“Much of what I did I now regret,” Burr told the Journal.
NIST is now recommending lengthy password phrases that are easier to remember instead of short passwords with weird characters.
It recommends rule-makers “allow at least 64 characters in length to support the use of passphrases. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.”
The new guidelines also specifically say not to “impose other composition rules (e.g. mixtures of different character types) on memorized secrets.” They also suggest not requiring passwords be changed periodically– only when there is evidence of account compromise.
Asked about using passphrases that are easier to remember, Ryan Merchant, who oversaw Dashlane’s password study, cautioned that passphrases also aren’t foolproof.
“The danger is when users create passwords that contain words that are easily hackable,” Merchant said.