A Strong Password Isn't Enough: 86% of Sites Have Weak Password Security

It's the Year of the Hack, and we spoke to the experts at Dashlane to find out which websites aren't doing enough to protect your passwords.
password security

We've been calling 2014 the "Year of the Hack," but things are getting ridiculous. Marketplace eBay was hacked just a couple weeks ago, and already two more companies, Spotify and Avast, have reported breaches of their own. If you're like us, you're probably wondering whether any website is secure these days.

However, getting hacked isn't inevitable. Recently, Dashlane, a password management website, conducted a study to find out which companies have the strongest and weakest password policies. We discussed the results of this study with Dashlane's CEO, Emmanuel Schalit, who explained that this information is critical, as hackers are more likely to go after the low-hanging fruit of weak passwords.

A Strong Password is Useless if You Use it Everywhere

Dashlane CEO Emmanuel Schalit believes that consumers should stop fully relying on websites to protect their data. "What I think consumers should do is to start taking some of their security in their own hands," he said in an interview with DealNews. "When you visit a new site that you don't know and you are going to create an account there, you are going to give them a password. If you give this new website the same password you've been using everywhere else, it's essentially equivalent to giving the keys to your house to someone you've never met."

According to Schalit, hackers "know that most people tend to re-use the same passwords on multiple sites." When you use the same passwords over and over, all it takes is just one hacker getting into just one of those websites for all of your data to become vulnerable. "The consumer should assume that when they create an account on a website that the account could be breached," Schalit warned. "Having strong passwords is good, but it's not the most important thing. The most important thing is to have a different password on each and every website."

86% of Sites Have Subpar Password Policies

Dashlane's latest study comes on the heels of one the site published in February, which found that 64% of e-commerce sites had weak password policies. In its most recent study, Dashlane expanded its net, looking at the password security polices of more than 80 of the web's most popular sites for everything from shopping to dating to internet security. The results were shocking: on a scale of -100 to 100, 86% of sites failed to earn a passing score of 50.

As was the case with the first study, Apple came out on top with a perfect score of 100. Other high-scoring sites included the Microsoft Store, UPS, Kaspersky Lab, and Target, all of which scored 70 or higher.

However, some popular websites exhibited very weak password security. Among the sites that didn't pass were American Airlines, Expedia, LivingSocial, LinkedIn, and Amazon. The lowest score of all, a -70, went to Match.com.

"These websites are not doing their job," Schalit said. He went on to explain that password management sites, such as Dashlane, can help protect consumers from shoddy password policies by generating random, unique passwords for every site a customer visits. This protects you from hackers because a user with a multitude of unique, strong passwords often isn't worth a hacker's time.

"There are so many easy targets out there. Whenever [a hacker] bumps into a target that is more protected, they will make the rational decision and go to the next one," Schalit explained. "Hackers are professionals, they're not just kids in basements. They are large, well-funded organizations, but they need to spend their resources wisely. And they do that by going after the easy targets."

Readers, how do you protect your information online? Do you use a password manager site, or keep a mental list of hundreds of secure passwords? Or maybe you just use "password" for everything and damn the consequences? Share your secrets (but not your passwords) in the comments below!

Michael Bonebright
Former Senior Blog Editor

Michael added the finishing touches to most of the Blog articles on DealNews. His work has appeared on sites like Lifehacker, the Huffington Post, and MSN Money. See him rant about video games by following him on Twitter @ThatBonebright.
DealNews may be compensated by companies mentioned in this article. Please note that, although prices sometimes fluctuate or expire unexpectedly, all products and deals mentioned in this feature were available at the lowest total price we could find at the time of publication (unless otherwise specified).


Leave a comment!

or Register
why are you serving yesterdays news, i looked for a sale on a password program, and got an article from 2014, not a flattering look, when trying to be on top of todays tech deals and news.
were going to worry about someone choosing a password? I can lead a horse to water, I can not make the people drink the koolaid. password requirements are a non issue. Make your password your password. At work we have a password requirement of 16 characters, 2 UPPER case, 2 lower, 2 special, 2 numbers and it changes every 60 days. theres alot of post-it notes, I refer to password reminders. better yet use a token with 2048 bit encryption, and an 8 number pin.
So what was Dealnews' number?