I changed all my passwords after Heartbleed hit. A couple times. A part of my personal online security policy is to use a password generation and storage app. I use LastPass as it keeps my passwords varied and strong. The majority of web users…not so much. The most common passwords are still:
Password rotation, and creating unique passwords, is a basic online security strategy. Now, I’m just one man with a keyboard and this online security blog. Most of you reading this are average web users looking out for your own selves. But what about those big corporations and websites? What are they doing to protect us?
HeartBleed Changed Our Passwords: Now Change Your Online Security Policy!
The problem with Heartbleed is that while it did cause many to change their passwords (like from ‘password’ to ‘Password1’), it did little to change the online security policy that governs many popular websites. Sure, marketing and PR teams spun some stories, a bunch of FAQ pages were made with great graphics, and a few CEOs made some videos…but what REALLY changed?
A study by Dashlane looks at the online security policy of major websites really caught my eye recently. Not only does it have pretty infographics, but it has some hard data (sortable by columns *joy*) that we can look at and learn a few things about websites that we may use every day
Which website has the worst online security policy
Heartbleed taught us that a major security flaw is passwords. They’re the best we have, but lazy websites let us be lazy. Out of the 83 major websites that Dashlane studied, here’s the one with the worst online security policy first, followed by other terrible offenders:
- Match.com with a score of -70
- Hulu with a score of -55
- Overstock.com with a score of -55
- Fab with a score of -50
- Amazon with a score of -45
Hold. The. Phone. Shut the front door. Whaaaaaa? Amazon, the world’s largest online retailer, ranks as one of the companies with the worst online security policy? Yikes. Here’s me feeling vindicated for no longer using those crooked bastards… What criteria was used to determine this? Let’s look specifically at Amazon. They are amongst:
- The 43% who accept the worst passwords (listed at the beginning)
- The 51% who don’t lock accounts after 10 incorrect login attempts (what does a hacker have to do to get locked out with them?!?)
- The 53% who had a negative score in regards to a weak password policy
- The 66% that don’t require alphanumeric passwords
That’s four strikes, shouldn’t they already be out of your general use now? They’re taking your money and not taking precautions to protect you! Other bad offends include Groupon, Kickstarter, Orbitz, US Airways (put an air marshall in my online account, dammit!), and Victoria’s Secret.
Which website has the best online security policy?
This may not surprise you, because they have long been a forward looking company, but the best scoring website was Apple. Their score of 100 topped all others and should be an example of what a great online security policy looks like. Other top sites include:
- Windows Live/Hotmail (85)
- Microsoft Store (75)
- UPS (75)
- Kaspersky Lab (70)
Now you may read that last one and know that Kaspersky Lab is in the online security business. “Well, that makes sense” you think to yourself. You’d think so, but that is not the case. Of the major online categories of online business, the three worst were, on average:
- Dating websites, with an average score of -23
- Travel websites, with an average score of -17
- Security websites, with an average score of -5
Security expert working at these big websites…what are you doing? I’m an independent online security policy advocate. I can’t change anything directly. Those who can, I’m calling on you to get this done. To change your online security policy. To educate people and help them become secure – it’s your job!
Increase your online security
Here are some point form topics to look at and consider:
- Take a look at Dashlane’s scoresheet. Have a serious look at the websites in the bottom ranking that you use. Consider ditching them, or changing your password to something stronger.
- Make 8 character alphanumeric passwords, that are case sensitive, a standard.
- Stop using websites that do not email you when your password is changed.
- Slap yourself in the face if you use any of the worst passwords on the web.
- Increase the encryption of your passwords by using a
If you learn anything, it’s that you need to be responsible for your security on the web. If a retailer like Amazon, who can afford to give a damn, doesn’t give a damn…you’re on your own out there. Get the tools that will protect you.
Feature image via Maksim Kabakou / Shutterstock