Password Policies of 40 Popular Online Services Analyzed

[Megalith]

GoDaddy has the best password practices, while Netflix, Spotify, and Uber have the worst: that’s what the team at Dashlane, a password manager app, has determined after registering accounts on 40 sites and recording which websites follow five simple rules. These include whether an 8+ character and alphanumeric password is required, and if 2-factor authentication is available.

Researchers created passwords using nothing but the lowercase letter "a" on popular sites such as Amazon, Dropbox, Google, Instagram, LinkedIn, Netflix, Spotify, Uber, and Venmo. Researchers created an account on Netflix and Spotify that used the simplistic password "aaaa." Six websites did not have policies to prevent brute-force attacks: Apple, Dropbox, Google, Twitter, Venmo, and Walmart.

 

[serpretetsky]

Does the website require users to have passwords with a combination of letters, numbers, and symbols?
✑ Does the website provide an on-screen password strength meter to show users how strong their password is?

The first one is annoying and websites should stop implementing it immediately. "We're sorry, your 40 character password consisting of 7 random words isn't strong enough because it doesn't have capital letters, numbers, or special characters". Yeah... right...
The second one is useless if it's too simple (if it can't detect that P4$$w0rD is a SIGNFICANTLY WORSE password than D4ekPpc6 what's the point?)

 

[necrosis]

The thing sites really need to start doing (though I have seen a few that actually do this) is listing the MAXIMUM password length.

To many times I have generated a "face+keyboard" password and pasted it in the box only to find out I can not log in because said box cut it short with no warning.

Another thing sites need to stop doing (I'm looking at you paypal) is not allowing people to copy&paste in the password

 

[Messy]

good! i don't want obnoxious password requirements. i also don't need them to give me my baby bottle and wipe my butt.

if i want a crappy password on some random site because i need one to learn about how big goldfish grow in sewer systems, then i'll use a crappy password.

 

[Logan321]

Make the length 10 letters minimum, no other restrictions. With letters only, 26^10 is 141 quadrillion combinations. Sure, use numbers, symbols whatever if you want to... But that doesn't matter if you make the minimum longer. By comparison, 62^8 (lower case 26, upper case 26 and numbers 10) is 218 quadrillion combinations, but the former has the capacity to include capitals and numbers IF YOU WANT but is a lot easier to remember.

 

[LogicEarht]

Here is my opinion on the matter. There should be no password requirements period. If a user wants to use a weak stupid password, let them, that is their concern.

But the one thing I hate the most is restrictive password requirements. Limiting what I can use as my password what characters or length. If a site is properly handling passwords it should not matter what I enter as they should be thrown in a hashing function reducing whatever I entered into safe to handle data. That is all they need to do. Give me helpful insight into the strength of my password but do not limit what I can set my password as.

 

[SvenBent]

But the one thing I hate the most is restrictive password requirements. Limiting what I can use as my password what characters or length. If a site is properly handling passwords it should not matter what I enter as they should be thrown in a hashing function reducing whatever I entered into safe to handle data. That is all they need to do. Give me helpful insight into the strength of my password but do not limit what I can set my password as.

yep hate it when i get limited to 16 characters like in origin or paypal.. really paypal.

 

[serpretetsky]

The thing sites really need to start doing (though I have seen a few that actually do this) is listing the MAXIMUM password length.

To many times I have generated a "face+keyboard" password and pasted it in the box only to find out I can not log in because said box cut it short with no warning.

Another thing sites need to stop doing (I'm looking at you paypal) is not allowing people to copy&paste in the password

Sites should not have password maximum AT ALL (exceept for something reasonable like 100+ characters).

Also, what do you mean websites should not allow copy paste? Like, you dont want people to copy their password from their Keypass database into the password field?

 

[i960]

The first one is annoying and websites should stop implementing it immediately. "We're sorry, your 40 character password consisting of 7 random words isn't strong enough because it doesn't have capital letters, numbers, or special characters". Yeah... right...
The second one is useless if it's too simple (if it can't detect that P4$$w0rD is a SIGNFICANTLY WORSE password than D4ekPpc6 what's the point?)

For years now I've been recommending pass phrases, based on that XKCD comic. I'm starting to wonder if that is a mistake. For instance, a 4 word phrase isn't much different from a 4 letter password if you think about it. A brute force attempt could just use a dictionary of very common words, and randomly try passwords with them. And a lot of people's vocabulary is quite small. But on second thought, maybe I'm looking at this wrong... because even with let's say a tiny vocabulary of 200 words (most people probably know thousands), that's still more than 62 alphanumeric characters. And that's without adding caps.

Can someone do the math on that for me? How many combinations are there if you have between 4-7 lower case words, from a dictionary of 200 words?

 

[Geryon]

How many combinations are there if you have between 4-7 lower case words, from a dictionary of 200 words?

I think that's simply 200^4 + 200^5 + 200^6 + 200^7 which works out as 12864321600000000.

 

[serpretetsky]

For years now I've been recommending pass phrases, based on that XKCD comic. I'm starting to wonder if that is a mistake. For instance, a 4 word phrase isn't much different from a 4 letter password if you think about it. A brute force attempt could just use a dictionary of very common words, and randomly try passwords with them. And a lot of people's vocabulary is quite small. But on second thought, maybe I'm looking at this wrong... because even with let's say a tiny vocabulary of 200 words (most people probably know thousands), that's still more than 62 alphanumeric characters. And that's without adding caps.

Can someone do the math on that for me? How many combinations are there if you have between 4-7 lower case words, from a dictionary of 200 words?

The key is still randomization from a large pool of choices. You want to get a list of common words, say about 2000 words (thats what XKCD uses), and choose random words out of that. If a hacker has your list of words, but they are completely randomly chosen, it will be difficult for him to get your password as compared to an 8 character alpha/numeric/special based on some word (most people usually choose a word and try to randomize some of the chracters). Note that the comic is not saying that a 4 words randomized passphrase is stronger than an 8 character COMPLETELY random password. It's just a lot of people choose passwords that are memorable, so naturally they are based on a word. As soon as you choose a single word for your password you are narrowing down the number of passwords that crackers need to test by A LOT. Also, a 4 character completely random password is signficantly worse than a 4 word passphrase (even if your pool of words is only 200 words, which is really small btw)

https://explainxkcd.com/wiki/index.php/936:_Password_Strength

 

[serpretetsky]

I think that's simply 200^4 + 200^5 + 200^6 + 200^7 which works out as 12864321600000000.

This is correct. I want to point that the there is little reason to have the passphrase vary between 4 and 7 words. The amount of combinations added by having 6, 5, and 4 worded passphrases is dwarfed by simply choosing a 7 worded passphrase (200^4+200^5+200^6 is less than 1% of 200^7). And it's arguable that a cracker would start with smaller passphrases first, so having a passphrase be 4 words because you wanted more variety probably just compromised you more than anything.

 

[nysmo]

to be fair working in IT I see a lot of security policies that encourage insecure passwords due to asinine requirements forcing the users into thinking of very simplistic passwords. Nobody can remember an 8 character pw with "1 of each", so you're gonna get P@ssword123 every time

 

[i960]

The key is still randomization from a large pool of choices. You want to get a list of common words, say about 2000 words (thats what XKCD uses), and choose random words out of that. If a hacker has your list of words, but they are completely randomly chosen, it will be difficult for him to get your password as compared to an 8 character alpha/numeric/special based on some word (most people usually choose a word and try to randomize some of the chracters). Note that the comic is not saying that a 4 words randomized passphrase is stronger than an 8 character COMPLETELY random password. It's just a lot of people choose passwords that are memorable, so naturally they are based on a word. As soon as you choose a single word for your password you are narrowing down the number of passwords that crackers need to test by A LOT. Also, a 4 character completely random password is signficantly worse than a 4 word passphrase (even if your pool of words is only 200 words, which is really small btw)

https://explainxkcd.com/wiki/index.php/936:_Password_Strength

Yeah, I realized my mistake as I was typing it out, lol. The reason I said 200 words is because most people would likely pick from a very small list of common words that they use daily, rather than randomly generating a passphrase from a large pool of words. So you'll end up seeing passphrases that look a lot like "MyDogRexIsCute" rather than "UraniumPurpleDirtExplodePolicy". I think someone much smarter than me could figure out a shortcut where you are using some of the most common words, and forming them into somewhat grammatically correct sentences. Same thing as using a dictionary of words first to try passwords rather than trying every possible combination. I could see a dictionary of common phrases being developed and used.

Of course, using something like bcrypt largely negates all of this anyway. With a different salt per password and a high enough cost parameter, I don't see a brute force attempt happening for anything but the simplest of passwords.

 

[Olle P]

As for passwords the only requirement should be to have it strong enough. What's "enough" is determined by what needs to be protected and how often the password is changed.

Two factor authentication is as far as I'm aware the norm. You'll need to provide both username and password. My job 30 years ago only required a password (typically very weak at that!) to log in to a nation-wide corporate network(*) with lots of users and most probably some "National security" level sensitive information stored on it...
A third factor, such as the commonly used phone number, should only be applied with care. Balancing needs for data security with needs for personal security and integrity of the user.

(*) All users had unique passwords, but they could be very simple. The password I used was 1212, my department manager had 1111, and so on...

 

[michalrz]

At the clinic, I just use sentences that pop into my head when I'm at a particular workstation.
So, 'roomWithHotNurse', 'XRayThatBish', 'GetThePaddles' etc