Virtualization Technology News and Information
Specops Research Reveals Major Weaknesses in Five Popular Web Services

Specops Software released new research finding major cybersecurity weaknesses in popular web services including Shopify, Zendesk, Trello, and Stack Overflow.

Amid a wave of cybersecurity incidents related to the COVID-19 pandemic, remote work, and nation-state activity, password security is more important than ever. However, this new research reveals that several popular business web applications have failed to implement critical password and authentication requirements to protect customers from cybercrime. Specops' analysis found inadequate password and authentication requirements that could leave customers vulnerable, including allowing users to set weak and breached passwords, often with little or no strong authentication in place. On the other hand, email marketing service Mailchimp proved to be the most secure service analyzed, blocking 98% of known breached passwords.

Detailed findings about each service's password requirements include:

  • Shopify fails to prevent any compromised passwords, with its only requirement that passwords be at least 5 characters. When checking the list of 1 billion known breached passwords, the Specops researchers found that 99.7% of the passwords meet Shopify's requirements.
  • Zendesk prevents less than 2% of compromised passwords, with password requirements including that passwords be a minimum of 5 characters, fewer than 128 characters, and different from a user's email address.
  • Trello blocks less than 13% of compromised passwords, requiring only that passwords be at least 8 characters in length.
  • Stack Overflow - the runner-up in Specops' analysis - prevents 46% of compromised passwords, with requirements that passwords be a minimum of 8 characters and include a number and special character.
  • Mailchimp blocks 98% of known compromised passwords, with requirements including an 8 character minimum and a mix of upper and lower case letters, numbers, and special characters.

"What's troubling about these findings is that when hackers can't access a company's data directly, they often use a backdoor approach, accessing a service used by the company or its employees to identify vulnerabilities," said Darren James, Head of Internal IT, Specops Software. "To compensate, IT departments should work to reduce the overall password burden, employing tools such as an enterprise password manager and blocking the use of weak and compromised passwords. Additionally, employees should be strongly encouraged to use multi-factor authentication whenever possible."

Shopify, Zendesk, Trello, and Mailchimp offer multi-factor authentication as an option when creating an account, but it is not a requirement. While Mailchimp and Stack Overflow have the most stringent password requirements of the services analyzed, neither requires multi-factor authentication or checks user passwords against compromised passwords.

To learn more about issues related to password requirements, check out Specops Software's 2022 Weak Password Report
Published Tuesday, July 19, 2022 8:10 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2022>