Dashlane Releases 2017 Password Power Rankings, Apple ID Gets ‘Good’ Score


Examining the password policies of 40 popular consumer and enterprise websites against five criteria, Dashline has published its latest Password Power Rankings for 2017, highlighting that almost 46% of consumer websites, including Dropbox, Netflix, and Pandora, and 36% of enterprise websites, including Amazon Web Services, have failed to implement the most basic password security requirements.


The study’s point-based ranking system is based on the following criteria: 8+ characters password requirement, alphanumeric passwords requirement, inclusion of a password strength assessment indicator, logins aren’t brute forceable, and 2-factor authentication support. Based on these points, Apple ID scored a 4/5 and earned a “Good” ranking. 

“We created the Password Power Rankings to make everyone aware that many sites they regularly use do not have policies in place to enforce secure password measures. It’s our job as users to be especially vigilant about our cybersecurity, and that starts with having strong and unique passwords for every account,” said Dashlane CEO Emmanuel Schalit. “However, companies are responsible for their users, and should guide them toward better password practices.”

GoDaddy, Stripe, and QuickBooks scored a perfect 5, whereas at the very low end with a score of 0/5 were Netflix, Pandora, Spotify, Uber, and Amazon Web Services.

To view the detailed report, click here.


  • Dehop

    Surprised that you can brute-force Apple’s logins. They should definitely have an account lockout after so many bad attempts. Apple should know better.

    Netflix, Pandora and Spotify scoring 0… meh, it’s kinda bad, but not too damaging to the user if it’s compromised.

    Uber and AWS? Those are inexcusable, as are a few others there with low scores.

  • KaCCaD

    I continue to be baffled by the ‘complex’ password requirements that wind up with rules like: 8+, at least 1 uppercase, 1 numeric, 1 special character, no repeated characters…all that does is effectively guarantee that the vast majority of users will put their password on a sticky on their monitor or a note in their desk. Which obviously defeats the purpose of a complex password. If the last two factors in the assessment are present (not brute forceable and 2 factor authentication) then the complex password requirements become a lot less relevant. You still need to be smart enough not to use things like your bday, or ‘password’, etc, but forcing fairly random complex password requirements on users is generally not helpful in my view.

    Personally I use a password manager, but not everyone wants to or can in all circumstances.