GoDaddy, Stripe, and QuickBooks lead with the best password policies, according to the 2017 Password Power Rankings from Dashlane.
Dashlane found that that almost half (46%) of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements.
The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane’s tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others, it said.
GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5.
“We created the Password Power Rankings to make everyone aware that many sites they regularly use do not have policies in place to enforce secure password measures. It’s our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account,” said Dashlane CEO Emmanuel Schalit. “However, companies are responsible for their users, and should guide them toward better password practices.”
To determine the ranking, Dashlane researchers examined sites against password security criteria, such as requiring eight or more-character passwords with a combination of letters, numbers, and symbols, and offering two-factor authentication. A site received a point for each test where it performed positively, for a maximum, and top score, of five. A score of 3/5 was deemed as passing and meeting the minimum threshold for good password security (complete methodology below).
5/5 Score (Best)_
- Best Buy
- The Home Depot
- Toys “R” Us
0/5 Score (Worst)
- MongoDB (mLab)
- Amazon Web Services