Dashlane’s UK Password Security Roundup: Most popular websites leave consumers exposed after Heartbleed

Share Article

Dashlane’s second Password Security Roundup examined 60 of the UK’s most popular sites in the aftermath of Heartbleed.

News Image
80% of these websites had subpar password security policies. Many failed to implement even the bare minimum standard security practices, leaving consumer data across the web dangerously susceptible.

Dashlane’s second Password Security Roundup examined 60 of the UK’s most popular sites in the aftermath of Heartbleed. It found that 80% of these websites had subpar password security policies. Many failed to implement even the bare minimum standard security practices, leaving consumer data across the web dangerously susceptible.

The Roundup was comprised of 22 password criteria that Dashlane identified as critical to password security. Each criterion was given a +/- point value, leading to a total possible score of between -100 and +100. A score of +50 is Dashlane’s minimum suggested requirement for good password practices. This study is a broader follow-up to Dashlane’s first UK study conducted in March.

Apple had the highest rating and was the only website to receive a perfect score, as they also did in Q1. Hotmail was second, while John Lewis and UPS tied for third. Other sites receiving passing scores included Marks & Spencer, Ryanair, and Yahoo Mail, among others.

Fenwick received the lowest score, while House of Fraser and Fortnum & Mason tied for second worst. Amazon, Harvey Nichols, easyJet, and Match.com were also among the lowest ranked sites. Several sites that store their users’ credit card information, including TK Maxx and Wilkinson, only required a 5 character password. In fact, Currys allowed users to create new accounts using only the letter “a” as the password.

Other key findings:

  •     80% did not meet the threshold for adequate password policies (i.e. a score of +50), including:

o    Booking.com, British Airways, Facebook, IKEA and Twitter

  •     50% of the sites received scores of 0 or below
  •     57% did not lock accounts after 10 incorrect password attempts
  •     40% accepted the worst passwords on the web, such as “123456”

o    Specifically, 43% allowed users to use “password” as their password

Dashlane examined sites in six categories: Dating, E-commerce, Security, Productivity, Social Utilities and Travel. The Roundup found that E-Commerce (-2), Internet Security (-4) and Dating (-35) had the lowest average scores.

The full study results, including an interactive data table and embeddable media, can be found here: dashlane.com/uksecurityroundup.

Unsafe Practices

Although most sites instructed their users to change passwords following Heartbleed, they did not strengthen their own inadequate and unsafe password policies. Dashlane compared the Security Scores of the sites in the Roundup with average password strength on these sites.

A clear pattern emerged, showing that users’ password strength correlated to a site’s security score. In other words, tougher password requirements meant stronger and more secure passwords.

It goes without saying that the weaker the password, the more exposed a user’s personal and financial data are. Passwords are the first line of defense for every user of the Internet. The failure of web sites to require more secure passwords means they are knowingly making their users more susceptible to hackers and malicious software.

Additionally, 57% of the top sites do not lock users’ accounts after repeated incorrect logins. One of the favorite methods utilized by hackers is to password guess using commonly used passwords. All a hacker needs is a list of emails and a list of common passwords (both easily found with a quick search), and they can easily code an automated program to push millions of email-password combinations into login screens.

By simply blocking an account after a few failed entry combinations, websites could prevent hackers from stealing data using this practice. The following are just a few of the more well-known sites which do not lock users’ accounts after 10 failed access attempts: Amazon, Dropbox, Harrods, Miss Selfridge and Twitter.

Simple Solutions

Dashlane suggests that websites adopt the following password security measures at a minimum:

  •     Minimum password length of 8 characters
  •     Alphanumeric and case-sensitive passwords
  •     Email confirmations for password changes
  •     Do NOT accept the 10 worst passwords on the web
  •     Do NOT allow login attempts after 10 incorrect password tries

Dashlane CEO Emmanuel Schalit elaborated on these practices:

Companies and websites have no excuse for their poor password policies. Implementing strong password policies is extremely cheap and can easily be done with readily available open-source technology.

Our study found a clear and direct correlation between a website’s password requirements and the average strength of a user’s password. Sites that require more complex passwords have users with greater password strength. Passwords are the first line of defense in protecting private personal and financial information on the web, and weak password requirements end up leaving all of us more exposed.

The full study results, including data and embeddable media, can also be found at dashlane.com/uksecurityroundup.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Ryan Merchant
Dashlane
+1 7184194441
Email >
@dashlane
since: 03/2011
Follow >
Visit website

Media