In a blog, chief technology officer of Co3 Systems Bruce Schneier explains that “the Heartbleed bug allows anyone to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the name and passwords of the users and the actual content.”
Now, more than ever, password policies have become the achilles’ heel of online security. With this thought in mind, Dashlane has ranked the password policies of the most popular sites on the web and exposes built-in flaws.
Their study, conducted from April 21 to May 15, 2014, analysed each site based on a set of 22 criteria. A criteria carried positive weight when it added security, and negative when it added risk, giving each website a total possible score of -100 and 100. The analysis was based on the password requirements of their websites and not their client applications.
What they came across:
- Some 66 per cent of sites don’t require alphanumeric passwords;
- Just over half earned negative security scores;
- A shocking 51 per cent don’t lock accounts after ten incorrect login attempts; and
- 43 per cent still accept password no-no‘s such as ‘123456’ and ‘password’.
Furthermore, the biggest sites fail to nail the basics, with LinkedIn scoring 0 and Dropbox, Evernote, Airbnb and Amazon scoring minus figures.
The strongest sites were found to be Apple (at 100 points), Windows Live/Hotmail (85), Microsoft Store (75), UPS, (75) and Kaspersky Lab (70).
On the other hand, the weakest sites were revealed to be Match.com (-70), Hulu (-55), Overstock (-55), Fab (-50) and Amazon (-45).