A recent analysis of password design imposed on users of popular websites and apps found that many of the most popular online services enforce less than ideal requirements for login credentials.

The study, conducted by password manager Dashlane, examined 37 well-known online services to see what the sites and apps required of users when creating their passwords. Dashlane found plenty of services living up to expectations set by best practices but some services with huge user bases failed to clear the bar.

Before distilling the rankings, it’s important to understand how Dashlane judged the services it looked at. The company examined if services required users to meet a number of basic requirements when creating their password, as well as what type of support they provided to prevent abuse.

Passwords are expected to contain at least eight characters and allow for alphanumeric and case-sensitive entries. Dashlane also looked to see if sites blocked the most commonly used passwords that are subject to simple guesses to crack an account.

The password manager looked to see if services provided a meter or color-coded bar to confirm password strength, if emails were sent to users when passwords were changed, if accounts were locked after too many incorrect guesses, and if two-factor authentication was supported on the platform.

845x570banner_NEW
Newsweek and Structure our hosting a security event in San Francisco in September. Newsweek Media Group

Just three sites met every requirement on Dashlane’s checklist: web host GoDaddy, payments service Stripe and accounting software QuickBooks. Apple, PayPal, Best Buy, Home Depot, Toys 'R' Us, Microsoft, Tumblr and Skype were among the companies to achieve a four-star rating, missing just one element that could have put them over the top.

On the opposite side of the spectrum, Netflix, Pandora, Spotify and Uber all received a score of zero out of five, failing to meet any of the best practices put forward for the study. Services including Dropbox, Instagram, Pinterest, Macy’s, Walmart and SoundCloud all just barely inched above the bottom of the barrel, scoring just one out of five.

Sites like Amazon, eBay, LinkedIn, Starbucks, Twitter and Venmo all received a two out of five—a failing grade by Dashlane’s standard. Facebook, Google, Airbnb, Reddit, Slack, Snapchat, Target, Staples, Twitch, Wordpress and Yahoo all received a passing grade at three out of five.

The biggest piece missing from services, according to Dashlane, is an on-screen assessment for password quality. Seventy-six percent of consumer sites and 72 percent of enterprise sites lack such a feature.

Fifty-one percent of consumer sites failed to require passwords be eight characters or longer. The same percentage did not lock an account after 10 failed logins. Forty-eight percent of services also didn’t require alphanumeric passwords. One-in-three sites, 32 percent, fail to offer support for two-factor authentication.

These problems were less prevalent on the enterprise side, where more than half of sites met each requirement. Forty-five percent failed to block logins after 10 failed attempts, 36 percent didn’t require a minimum of eight characters and 27 percent didn’t require alphanumeric passwords. All but one service—Freshbooks—offered two-factor authentication.