The team at Dashlane — a password manager app — has analyzed the password policies of 40 popular online services and has discovered that not all websites are alike when it comes to password security, but some are worse than others.

In their latest study, researchers registered accounts on 40 sites and recorded which websites follow five simple rules:

✑ Does the website require users to have passwords that are 8 or more characters?
✑ Does the website require users to have passwords with a combination of letters, numbers, and symbols?
✑ Does the website provide an on-screen password strength meter to show users how strong their password is?
✑ Does the website feature brute-force protection as to allow 10 incorrect login attempts without providing additional security (CAPTCHA, account lockout, 2-Factor, etc.)?
✑ Does the website support 2-Factor Authentication?

The results shocked the Dashlane team as they found quite some pretty lax password security measures, even at extremely popular services. Below are their results:

✮ Researchers created passwords using nothing but the lowercase letter "a" on popular sites such as Amazon, Dropbox, Google, Instagram, LinkedIn, Netflix, Spotify, Uber, and Venmo.
✮ Researchers created an account on Netflix and Spotify that used the simplistic password "aaaa".
✮ Six websites did not have policies to prevent brute-force attacks: Apple, Dropbox, Google, Twitter, Venmo, and Walmart.
✮ 51% of consumer sites and 36% of enterprise sites do not require websites to have a password of at least 8 characters
✮ 48% of consumer sites and 27% of enterprise sites did not require alpha-numeric characters
✮ 76% of consumer sites and 72% of enterprise sites do not provide an on-screen password strength meter
✮ 51% of consumer sites and 45% of enterprise sites do not feature brute-force protection
✮ 32% of consumer sites and one enterprise site (Freshbooks) do not offer 2FA support
✮ Of all the tested sites, only GoDaddy, Stripe, and Quick Books obtained a perfect score in each five categories.
✮ Netflix, Pandora, Spotify, and Uber didn't meet at least one of the five criteria.

The full Dashlane research results, broken down per site, are available in the infographic below.

Dashlane infographic
Source: Dashlane