When it comes to web password security, there are the terrible, terrible passwords people use and then there are the websites that let them. Or, put another way, give people enough rope and many of them will, indeed, hang themselves.

Dashlane, a company that sells a password manager of the same name, has assessed the world’s top 100 websites for password security and published the results (pdf) for all to see. Unsurprisingly, Apple comes out on top with a perfect password security score of 100, while a long list of “trusted” companies, like Amazon, do less well:

The roundup assesses the password policies of the top 100 e-commerce sites in the US by examining 24 different password criteria that Dashlane has identified as important to online security, and awarding or docking points depending upon whether a site meets a criterion or not. Each criterion is given a +/- point value, leading to a possible total score between -100 and 100 for each site — Dashlane.


— 55 percent still accept notoriously weak passwords, such as “123456” or “password”
— 51 percent of websites, including Amazon, Dell and Best Buy, make no attempt to block entry after 10 incorrect password entries
— 64 percent have highly questionable password practices
— 61 percent do not provide any advice on how to create a strong password during signup and 93 percent do not provide an on-screen password strength assessment
— Only 10 percent scored above the threshold for good password policies (i.e. 45 points or more in the roundup)
— 8 sites, including Toys “R” Us, J.Crew and, send passwords in plain text via email

Yep, give ’em enough rope and people will hang themselves. Sad, but true.

Practitioners of false equivalence will argue that password security is two-fold — websites and users. However, if more websites took password security seriously, users would have to create and use more secure passwords…

What’s your take?

Image: Tested, Via Ars Technica