Popular business web apps fail to implement critical password requirements
Specops Software has published new research on cybersecurity weaknesses in business web applications, including Shopify, Zendesk, Trello and Stack Overflow.
Amid a wave of cybersecurity incidents related to the COVID-19 pandemic, remote working, and nation-state activities, password security is more important than ever. However, this new research reveals that several popular business web applications have failed to implement critical password and authentication requirements to protect customers.
Specops analysis revealed inadequate password and authentication requirements that could leave customers vulnerable, including allowing users to set weak and violated passwords, often with little or no strong authentication in place. square. On the other hand, email marketing service Mailchimp was found to be the most secure service analyzed, blocking 98% of known hacked passwords.
Detailed findings on each service’s password requirements include:
- Shopify fails to prevent any compromised passwords, with its only requirement that passwords be at least 5 characters long. While checking the list of 1 billion known hacked passwords, Specops researchers found that 99.7% of passwords meet Shopify’s requirements.
- Zen office prevents less than 2% of compromised passwords, with password requirements such as passwords must be at least 5 characters, less than 128 characters, and be different from a user’s email address.
- Trello blocks less than 13% of compromised passwords, only requiring passwords to be at least 8 characters long.
- Stack overflow prevents 46% of compromised passwords, passwords must be at least 8 characters long and include a number and a special character.
- MailChimp blocks 98% of known compromised passwords, with requirements including a minimum of 8 characters and a mix of upper and lower case letters, numbers and special characters.
“While people are taught to secure their computers with anti-spyware, antivirus, and anti-malware software because of hackers, they aren’t taught how relentless hackers are with passwords. A hacked password can cause a lot of financial and personal damage. What is most shocking about these findings is that despite the popularity of web services, these web applications have not taken the necessary steps to reduce the risk of their customers falling victim to cybercrimes. In fact, they actually increased the chances of this happening by not implementing critical password and authentication requirements,” Darren James, internal IT manager at Specops Software told Help Net Security.
“Take Shopify, for example, one of the most popular e-commerce platforms in the world. Our results showed that Shopify fails to prevent any compromised password. With a single password requirement, either at least 5 characters, 99.7% of the known 1 billion hacked passwords met Shopify’s password requirement,” James concluded.
Shopify, Zendesk, Trello, and Mailchimp offer multi-factor authentication as an option when creating an account, but it’s not a requirement. Although Mailchimp and Stack Overflow have the most stringent password requirements of the services analyzed, neither requires multi-factor authentication or checks user passwords against compromised passwords.