Many major internet businesses catering to consumers and companies — including Dropbox, Amazon and Google — allow users to create passwords that consist of strings of a single character that are crackable in seconds, according to new research.
The study, produced by password manager company Dashlane, checked the practices of 37 consumer-facing websites and apps for five basic password security measures — including whether new customers could create an account protected by a password using only a repeated single character.
More than half of all the consumer sites researchers tested allowed a password with fewer than eight characters. Additionally, “researchers created passwords using nothing but the lowercase letter ‘a’ on Amazon, Google, Instagram, LinkedIn, Venmo and Dropbox, among others,” according to Dashlane.
Of the consumer sites, only one, GoDaddy, implemented all five of the basic security measures. Netflix, Pandora, Spotify and Uber all got zero, because they implemented none.
On the enterprise side, two of the 11 companies researched — Stripe and QuickBooks — got five out of five. Basecamp and Salesforce scored four, GitHub and MailChimp three, while Amazon Web Services scored one.
The five measures the researchers investigated by creating new accounts are:
- Eight-plus character minimum length: “Tested by creating a new account on each website. Dashlane researchers attempted to create passwords less [sic] than 8 characters irrespective of the sites’ stated minimum password requirements.”
- Requires letters and numbers: “Tested by creating a new account on each website. Researchers attempted to create passwords with all letters (aaaaa) or numbers (111111).”
- Password strength assessment for users: “Tested by creating a new account on each website. If the site provided any notification, such as a meter or color-coded bar, they were credited as providing an assessment,” but not those which merely confirmed the password was of sufficient length or otherwise met minimum criteria.
- Brute force attack protection: “Researchers attempted to login using incorrect passwords. If the tester was able to continue entering incorrect credentials after 10 attempts” without locking the account, having to fill out a CAPTCHA code or meeting some other security test, “the site did not receive credit.”
- Two-factor authentication: “A site was given credit if they offer any two-factor or multi-factor authentication,” including via SMS or keystick.
The company notes that the most popular sites provide “the least guidance” when it comes to secure password policies.
“We created the Password Power Rankings to make everyone aware that many sites they regularly use do not have policies in place to enforce secure password measures,” said Dashlane CEO Emmanuel Schalit in a release. “It’s our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account. However, companies are responsible for their users, and should guide them toward better password practices.”
Passwords have largely fallen from favor among cybersecurity professionals, most of whom advocate the use of some kind of second ID factor as a minimum for online identity authentication.
It was a problem popularized as long ago as 1993, by a New Yorker cartoon in which a dog sitting at a computer terminal declares, “On the internet, no one knows you’re a dog.”
The issue of password composition has been a vexing one for those trying to develop and maintain cybersecurity best practices. The National Institute of Standards and Technology in June completely rewrote its digital identity guidelines, getting rid of the recommendation that passwords should contain special characters and/or numbers and should be changed regularly.
Then new guidelines, instead, emphasize length rather than complexity.
“Password length has been found to be a primary factor in characterizing password strength,” write the authors in a special appendix, while “composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol … [are] not nearly as significant [in improving security] as initially thought.”
Cryptologists say — and physicist Randall Murray popularized the practice in a widely circulated cartoon — that a brute force attack on a shorter but more complex password (such as “Tr0ub4dor&3”) is much easier than on a long but simpler passphrase (such as “correcthorsebatterystaple”).
Instead of complexity requirements, the new NIST guidelines recommend “that passwords chosen by users be compared against a ‘black list’ of unacceptable passwords” drawn from “previous [password] breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose.”
Ironically, according to a popular website set up to allow users to run just that kind of check on their own passwords, the comic passphrase, correcthorsebatterystaple, has already been cracked.