NEW YORK — Exchanging passwords for sensitive information goes back at least 4,000 years, and yet it seems humans haven't gotten much better at it since.
Not only do many people use completely unsafe passwords, a recent study finds, but some of the biggest sites on the Web may themselves encourage such behavior with their own lax security protocols.
Dashlane, a Paris-based password-management company, gave a presentation called "Passwords & Puppies" here today (May 20). The presenters brought in four puppies to prove a point: A vast number of users choose their dogs' names as passwords, and that practice has grown too predictable over the years.
To evaluate how major sites encouraged (or did not encourage) safe password creation and maintenance, Dashlane devised 22 criteria to evaluate websites. At minimum, Dashlane posited, websites should check a password's complexity, disallow common boneheaded passwords (such as "password" or "12345"), help users create strong passwords and limit failed login attempts.
Sites from almost every major online category, including security, business, travel and dating, fell under Dashlane's microscope. The results were generally not encouraging.
On a scale of -100 to +100, 86 percent of websites studied failed to achieve a minimum score of +50 (adequate). Fifty-one percent of these sites let users attempt as many logins as they desired, and 43 percent allowed users to employ "admin," "11111," "letmein" and other easily guessable passwords.
Better-known sites did not necessarily perform better. Amazon and Kickstarter scored -45, which is particularly damning since both sites store user credit-card information. Dropbox scored -15, while both Twitter and LinkedIn came in at 0. PayPal eked out the bare passing minimum, with a rating of +50.
Dating sites tended to employ the worst password practices across the board, with Match.com's -75 rating coming in lowest overall. On the other side of the spectrum, Apple scored a perfect +100. (The full results of the Dashlane study can be found on the company website.)
Dashlane was quick to point out that interested companies can turn their scores around quickly, if desired. By requiring a minimum of eight characters per password, demanding at least one letter, one number and one capital letter, emailing users when their passwords change and blocking logins after failed attempts, a site virtually ensures that its users will make strong passwords.
It's worth pointing out that Dashlane's study did not evaluate how likely any given site is to get hacked, nor how securely each site stores or hashes its passwords. Users can have perfectly secure passwords on even the worst-rated sites, and a data breach on the best-rated site could still compromise a user's personal information.
Even so, it seems that after two decades of consumer-grade Internet use, password security is still something of an afterthought. Take a few steps to make yours secure, and you'll be way ahead of most users.