How Popular Websites Fail to Guide Users in Creating Strong Passwords

The first piece of the account protection puzzle: you

We can only hope that these security breaches at least raise awareness about weak passwords and make you think twice about picking a password that tops the weakest password list each year. It all starts with the user, if they don’t care about good password hygiene, then the opportunity for hackers is clearer. Acceptable password hygiene implies a unique password for every account, but you pick the way that they are stored.

Despite the abundance of security breaches, the majority of online service providers don’t really care about password security, or, if they do, the necessary additional measures are hidden out of sight to keep the user’s login process hassle-free. Sadly, security and convenience don’t walk hand-in-hand, in other words it’s up to you to create a cryptographically secure password in the first place if you hope to be 100% certain of your account security. But that’s only the first piece of the puzzle…

Popular websites fail to encourage strong passwords

Password security expectations change on an almost yearly basis, mostly because of the high number of data leaks and the growing amount of password data that is available to hackers. But even so, major websites are slow to change their password policy, which was proven after testing the password policy of five major websites: Facebook, Gmail, Amazon, Reddit, and Twitter.

What we discovered is alarming. Even though “password” has topped the list of weakest passwords for years, it is still accepted by any site when used in conjunction with the service’s name, such as “gmailpassword”. Worse still, Reddit – which was hacked recently – deems “password” to be acceptable, although at least the tiny password meter displays a warning red color. However, Reddit is the only one of these sites that uses a password meter, the rest tested by us simply inform the user via a message displayed in red about how weak their chosen password is. Just a quick example: while “password” or “password123” is a no-no for Twitter, the website still considers Password123 to be acceptable. That password would take less than a minute to crack.

After all those major security breaches, you’d expect online services to put more effort into educating their users about password security, at least offering the option to enable two-factor authentication from the initial sign-up page. But no, in order to enable this security option – if it’s even available – you will need to dig deep into the settings and search for it yourself, which makes it a hard find. As a result, major websites still encourage weak security measures, which unfortunately exposes users and makes data breaches possible.

What can you do?

We know how inconvenient online security can be sometimes but if you really want to protect your online account, then implementing some form of protection is a must. The easiest way to increase online security is by using a VPN – to hide your online traffic from prying eyes – in addition to a password management service. The latter will generate cryptographically secure passwords for you and prompt you to store any login details as soon as it is enabled. Password managers will also make sure that you’re visiting a legitimate website, keep an eye on data breaches, and suggest a password change if needed.