Apple ID Website Receives 4/5 'Good' Score in Dashlane's 2017 Password Power Rankings

Discussion in 'Mac Blog Discussion' started by MacRumors, Aug 10, 2017 at 10:08 AM.

  1. MacRumors macrumors bot


    Apr 12, 2001

    Password management app Dashlane has enlisted a group of researchers to assess and rank the password policy and security of 37 consumer and 11 enterprise websites. The study examined five password security criteria to result in a point-based ranking system, with points awarded for the following categories: requiring 8+ characters, needing alphanumeric passwords, including a password strength assessment indicator, passing brute force attack simulations, and supporting 2-factor authentication.

    Based on these data points, the Apple ID sign-in page scored a 4/5 and earned a "Good" ranking. Apple passed on all criteria except for the brute force attack test, where researchers said they were never presented with a security warning ("such as a CAPTCHA code or the account automatically locking") after entering incorrect credentials 10 times in a row. Dashlane mentioned that the study was completed during the week of July 5 - July 14, 2017.

    Above Apple with perfect scores were GoDaddy, Stripe, and QuickBooks, but at the very low end with a score of 0/5 were Netflix, Pandora, Spotify, Uber, and Amazon Web Services. Dashlane said that in total 46 percent of consumer sites have "dangerously lax" password policies, while 36 percent of enterprise websites face the same issue.

    The researchers said that some of the more troubling findings related to being able to create a password using nothing but the lowercase letter "a" on Amazon, Dropbox, Google, Instagram, LinkedIn, Netflix, Spotify, Uber, and Venmo. The Apple ID sign-in page was one of six sites that did not have a policy to prevent brute force attacks, also including Dropbox, Google, Twitter, Venmo, and Walmart.

    Visit Dashlane's website here for more information on the 2017 Password Power Rankings, including a few infographics. Dashlane has performed similar studies of password security policies in years past.

    Article Link: Apple ID Website Receives 4/5 'Good' Score in Dashlane's 2017 Password Power Rankings
  2. gsmornot macrumors 68020


    Sep 29, 2014
    I use a few sites that limit my password to 10 characters. They should call them out.
  3. RCS31 macrumors member

    Jun 28, 2013
    In fairness Apple are very good at not allowing unauthorised people into your account as I've learned myself. Some person whom I don't know tried to enter my password several times without success, blocking the account. I didn't have security remedies setup so I lost my account.... Oh well, now I use 2 factor authentication for all my major accounts. Happy days.
  4. DCYorke macrumors member

    Apr 7, 2010
    Captcha is hardly needed when 2FA is enabled and it's just a pain for everyone, they shouldn't've lost points for that one. However, requiring a number should not be seen as increased security, especially when apple doesn't allow "correct horse battery staple" type passwords. It'd be much better to allow long passwords with spaces than to require numbers to be added.
  5. dampfnudel macrumors 68020

    Aug 14, 2010
    Brooklyn, NY
    Anyone not using 2 factor authentication is basically inviting people to take their personal information.
  6. justperry macrumors 604


    Aug 10, 2007
    In the core of a black hole.
    Captcha should be renamed to Crapcha, worthless piece of crap, I had serious issues registering on a few websites due to this Crapcha, nowadays it tends to give you a picture with grids, next you have to pick some which have certain 'things' in it like cars or shops, they are Crap too, sometimes it takes a minute to complete.

    Erm, No, it (also) depends on the websites they visit, you could avoid them but I am pretty sure some people need to be on those sites, for instance job related.
  7. democracyrules macrumors 6502

    Nov 18, 2016
    Kudos to Apple. Apple is the best company who cares about the security and protection of themselves and their customers. Thanks to Apple!!
  8. chriscrowlee macrumors 6502a


    Aug 10, 2015
    San Diego, CA
    Never seen so much gloating over barely scraping out a B minus. hehehe
  9. joueboy macrumors 6502a

    Jul 3, 2008
    Not a bad rating at all considering some celebrities got their iCloud accounts nt compromised. Kudos to Apple for doing a great job!
  10. justperry macrumors 604


    Aug 10, 2007
    In the core of a black hole.
    Because those celebs used easy to guess passwords or something else THEY did, it wasn't Apple's servers or software that got compromised.
  11. glenthompson macrumors 68000


    Apr 27, 2011
    I have one that only allows 6 characters. Fortunately it doesn't have any information available that someone hacking it could use elsewhere.
  12. Cwolk macrumors regular


    Jun 3, 2015
    NJ, USA
  13. hotgril, Aug 11, 2017 at 2:52 AM
    Last edited: Aug 11, 2017 at 3:02 AM

    hotgril Suspended


    Jul 4, 2017
    Artsakh, Armenia
    That's an exaggeration. One strong password is all you need, assuming you aren't careless with it and only use it in one place. But that's an assumption no website can make because obviously, people reuse passwords, and they aren't to blame for that.

    Problem with 2FA is that it adds complexity and annoyance. I wish sites would just take my public SSH key so I don't have to specially manage passwords or worry about my passwords being stolen.
  14. JosephAW macrumors 65816


    May 14, 2012
    I still remember when OS X in it early days ignored any information typed past an 8 character limit enabling brute force access and there was a big stink from tech users. Leopard finally fixed that and we have since moved on to better ways to bypass passwords.
  15. ChrisA macrumors G4

    Jan 5, 2006
    Redondo Beach, California
    Ten attempts is not "brute force". Brute force attacks typically require hundreds of thousands or millions of attempts. And there are ways of preventing them that don't annoy users. The simplest one is to simply not prpcesspasswords really fast. Make shure it takes at least 5 or 10 second before saying "wrong, try again". When limited to only one try every 5 seconds brute force could take years.
  16. OneMike macrumors 601


    Oct 19, 2005
    2FA is not required though nor should it be imo so this is bad imo.
  17. hotgril Suspended


    Jul 4, 2017
    Artsakh, Armenia
    Or only start delaying after, say, 10 failed attempts. I don't get why sites go hostile on legit users after such few attempts, as if nobody ever has trouble remembering a password when they're required to add capital letters (totally stupid btw) and numbers. I kept locking myself out of my GoDaddy account because it treated 5 attempts like a brute force attack and locked my account. Also, a malicious kindergartener could keep my account shut down forever like that. Straight up switched hosts just because of that crap.
  18. SteveW928 macrumors 65816


    May 28, 2010
    Prince George, B.C. Canada
    For sure, except for something really crucial. If you use strong, unique passwords, then the most they'll ever get is that one account. But, the even bigger issue with many of these companies is that they have 'unlock' methods like 'security questions'. I'm guessing most people don't put strong, random passwords into those... and likely do reuse them if they answer honestly. So, if you ever filled them on, say with a Yahoo account, then all the hacker has to do is know about your account and make a phone-call.

    re: 2FA - yea, and wouldn't it make it hard for any shared accounts, for example, Dropbox. If you're sharing access with partners or family, are there mechanisms in place to make multiple devices be the 2nd factor?

    LOL, no doubt! They'd have to get awfully lucky. :)

    Yea, I've never really understood why brute-force should have ever been a problem in the first place. That seems like such a simplistic solution, I'm always amazed that isn't default behavior for anything that collects a password.

    Please tell me you're using a password manager! :) No one should be trying to remember more than one password, and hardly ever have to even type them.

    Heh, I think having a GoDaddy account in the first place was part of the problem. ;) Run, run away from cheap hosting like that! (Which it appears you did.)

Share This Page