Security News > 2022 > July > Popular business web apps fail to implement critical password requirements

This new research reveals that several popular business web applications have failed to implement critical password and authentication requirements to protect customers.

Specops' analysis found inadequate password and authentication requirements that could leave customers vulnerable, including allowing users to set weak and breached passwords, often with little or no strong authentication in place.

Zendesk prevents less than 2% of compromised passwords, with password requirements including that passwords be a minimum of 5 characters, fewer than 128 characters, and different from a user's email address.

"While people are taught to secure their computer with antispyware, antivirus, and antimalware software due to hackers, they aren't taught how relentless hackers are with passwords. A breached password can cause a lot of financial and personal damage. What's most shocking about these findings is that despite web services' popularity, these web applications have not taken the necessary steps to reduce the risk of their customers becoming victims of cybercrimes. In fact, they've actually increased the chances of this occurring by not implementing critical password and authentication requirements," Darren James, Head of Internal IT, Specops Software told Help Net Security.

"Take Shopify, for example, one of the world's most popular eCommerce platforms. Our findings showed that Shopify fails to prevent any compromised passwords. With only one password requirement, being at least 5 characters, 99.7% of the 1 billion known breached passwords met Shopify's password requirement," James concluded.

While Mailchimp and Stack Overflow have the most stringent password requirements of the services analyzed, neither requires multi-factor authentication or checks user passwords against compromised passwords.

News URL

https://www.helpnetsecurity.com/2022/07/20/business-web-apps-password-requirements/