Web services are failing the password security test
Don’t expect an app to force you to use strong passwords. A recent study by Dashlane found that 44% of the websites they sampled had “dangerously lax” password policies. Dashlane judged apps on 5 key security criteria:
- A minimum of 8 characters in the password
- Mandatory use of both letters AND numbers
- A password strength assessment shown to the user during account creation
- An automatic account lockout feature after a set amount of login tries
- Support of 2-factor or multi-factor authentication (2FA)
The survey found that 44% of sampled services (a combination of both business and consumer) failed to meet 3 or more of these criteria. That’s really frightening given the sophistication of today’s cyber attacks. When services fail to meet these security standards and bad things happen, it’s the user that’s left feeling the pain.
But account security isn’t just the onus of the service provider. A key point in the article is that users need to follow some basic security protocols as well. Like not reusing passwords or choosing really simplistic passwords that are easy to crack (like “password123”).
Password security options for users and IT admins
So where does this leave users and IT admins?
Users need to be vigilant about choosing strong passwords and enabling 2FA when it’s available. They should invest in the use of a password manager tool or single sign-on solution to help remember their logins so they aren’t tempted to choose easy-to-crack passwords.
IT admins should set stringent security policies for the business services that they manage. And require the use of 2FA for those services whenever possible. Shop around for the solution or service provider who provides the strongest protections and security policies. App companies have no real incentive to up their game if their customers don’t demand it. They’ll simply blame the user if a password gets cracked.
Intermedia’s password security standards
In our case, Intermedia has both areas of account security covered. On the application side, we have 2 types of security policies: 1 for account admins and 1 for users.
The account admin defines the policy for their users, within the “Contacts password policy” in our HostPilot® control panel, which cascades into the Intermedia services the users have and use (Exchange, File Backup and Sharing, AppID, etc.). I asked Ryan Barrett, our VP of Security and Privacy, about how we stack up against the survey criteria, and he had this response:
“I’m very proud to say that by default, we hit all 5 of the criteria, for the account admin themselves and for their users. In fact, we exceed the minimum character criterion by requiring that account admins have a password with at least 9 characters.”
On the user side of the equation, we provide our customers with Intermedia AppID®, our identity and access management app, free-of-charge. Users can access their web apps (both Intermedia and 3rd party apps) through AppID and have it remember their logins for them. They only need to sign into AppID and remember 1 login. And AppID is enabled with two-factor authentication for an extra layer of security.