05/28/2014 08:43 am ET Updated Dec 06, 2017

Your Favorite Website Is Probably Terrible At Passwords

Some of your favorite websites could be putting your online security at risk, according to a new study conducted by Dashlane, a password and identity management company.

Dashlane's Security Roundup for the second quarter of 2014 ranks websites on the strength of their password policies. To come up with its list, Dashlane ranked websites on several factors, from whether they allowed common passwords to how fast they sent account confirmation emails. Each site is rated on a scale of 100 to -100, with 100 as the highest score and -100 as the lowest score sites can get.

Unsurprisingly, some top sites don't particularly encourage their user base to create strong passwords., the lowest-scoring site at -70, lost points for allowing users to create single-character passwords. Hulu and Overstock, which came in above Match at -55 points, both had points deducted for not sending password change confirmation emails fast enough.

Hulu and Match declined to comment, and Overstock did not respond to a request for comment.

To be fair, some of what Dashlane dinged sites for is at least partially a matter of user agency. For example, if a customer at decides to make his or her password "password" (something that's allowed now, according to Dashlane), it's a bit unfair to hold the company's management wholly responsible for that person's poor password choice. 

The same could be said for websites that commit the fairly common password policy sin of not making alphanumeric (meaning including letters and numbers) and case-sensitive passwords mandatory. According to Dashlane, Dropbox and Delta are two of those sites.

Dashlane also knocked sites for allowing short passwords -- for some sites, just one letter is OK -- and for not bothering to lock user accounts after repeated logins.

The report explains why not locking accounts is a problem: "One of the favorite methods utilized by hackers is to password guess using commonly used passwords. All a hacker needs is a list of emails and a list of common passwords (both easily found with a quick search), and they can easily code an automated program to push millions of email-password combinations into login screens."

It's important to note that Dashlane's word on security should be taken with a grain of salt. The company sells password management tools, among other things.

For those of you who may be using the sites that fared poorly in Dashlane's ratings, here are a few tips on how to make secure passwords:

  • Don't use extremely common passwords (a list can be found here, courtesy of SplashData)
  • Don't use the same passwords for multiple websites
  • Don't use words you can find in a dictionary as pass phrases
  • Make sure your passphrases are long, ideally over eight characters

To see Dashlane's complete rating of sites, click here. Below are the websites with the strongest and weakest password policies, according to Dashlane.