Is it up to the individual or the website to ensure every account user chooses a secure password? Dashline, the people behind the 2017 Password Power Rankings, suggest that websites themselves should feel a greater sense of responsibility when it comes to ensuring all accounts are protected with a powerful password. Their recent findings revealed that some of the most popular site including Pinterest, Dropbox, Netflix and Instagram, are failing users when it comes to the first step of cyber security.
Dashline conducted a Password Power Ranking test to help determine which sites are enforcing comprehensive password policies for all users to encourage vigilance in the fight against cyber crime. The sites were ranked in a number of categories including how complex a password they required (length, mixture of letters and numbers, symbols etc) and whether they offered two-factor authentication. GoDaddy, Stripe and QuickBooks came in with perfect scores, while Netflix, Pandora, Spotify and Uber all scored zero. Other low-scoring sites included Dropbox, Instagram, eBay, LinkedIn, Amazon, Pinterest and Twitter. The immense popularity of these sites and the fact that there is no policy in place to protect users is, frankly, disappointing.
The CEO of Dashline, Emmanuel Schalit, believes that while consumers are responsible for using unique and strong passwords on their accounts, companies have a shared responsibility to look after their users by not only requiring them to use a strong password but to educate them as to what a powerful password entails: namely a mixture of letters, number, symbols, upper and lower cases and, of course, unique for every account.
Amazon, Dropbox, Google, Instagram, LinkedIn and Venmo were sites which allowed researchers from Dashline to create an account which only contained lowercase ‘a’ letters. The hackability of this password is obvious to everyone. So why were these accounts even allowed to be set up with such a weak password in the first place? Could this be considered negligent on behalf of the company?
Here at Ctrl IT, we encourage all our clients to implement a comprehensive password policy throughout their organisation. This should include regularly changing passwords, using complex sequences and not using the same password for every account. But we agree with Dashline and believe that while individuals should be aware of the importance of powerful passwords, websites and applications which require an account password should step up and take some responsibility too. Sites should not allow users to create an account with a password which is universally known to be weak and easily hacked. It takes relatively little effort on behalf of these websites to implement stricter password policies which require users to create powerful password. Let’s hope we see more sites following in the footsteps of GoDaddy, Apple and Skype in the future.