Skip links

3rd Party Services Are Falling Short on Password Security



Preventing the use of weak and leaked passwords within an enterprise environment is a manageable task for your IT department, but what about other services where end-users share business-critical data in order to do their work? They could be putting your organization at risk, and the team at Specops Software decided to see for sure.

Specops Software investigated the requirements of five common web services to see if leaked passwords could open the door for hackers looking for company information outside of the Active Directory network.  

In other words, if a hacker is unable to access a company’s data directly, they might use the backdoor approach of accessing a service used by the company to learn where that company is vulnerable. We know this type of shadow IT is risky for organizations, as it falls beyond the jurisdiction of most IT security teams—this data shows us just how risky it can be.

The Specops dev team investigated five popular services from a variety of industries such as ecommerce, project management, email marketing, and customer support.

The analysis compared the password requirements against a subset of the Specops Breached Password Protection list, containing 1 billion known compromised passwords.

1. Shopify

The ecommerce giant, Shopify, is used by more than 3.9 million live websites globally. While Shopify does offer two-factor authentication (2FA), it is not a requirement when creating an account. Shopify does not perform a compromised password check.

Shopify’s password requirements:

Your password must be a least 5 characters, and can’t begin or end with a space

When checking the list of 1 billion known breached passwords, the Specops researchers found that 99.7% of the passwords meet Shopify’s requirements.

Shopify doesn’t prevent the use of the word Shopify in passwords on the service, resulting in 18 passwords found containing the name, such as shopifyseoexpert, shopify, shshopify, myshopify, and shopify123.

2. Zendesk

Zendesk, a SaaS company providing customer communication and support services, offers 2FA when creating a new account with the service, but it is not a requirement. Zendesk does not perform a compromised password check, resulting in password being accepted. Unfortunately, less than 2% of the known compromised passwords tested were blocked by Zendesk’s password policy.

Zendesk’s password requirements include:

Must be a least 5 characters
Must be fewer than 128 characters
Must be different from email address

The Specops research revealed that of the 1 billion compromised analyzed, 99.03% satisfy the Zendesk password requirements, which require at least 5 characters and that the format of the password not mimic that of an email address @..

Zendesk doesn’t prevent the use of the company name in the password, resulting in five compromised passwords found containing the word Zendesk.

3. Trello

The Kanban-style project management service, Trello, blocked less than 13% of known breached passwords. Trello does offer 2FA but this is not a requirement when creating an account and does not perform a compromised password check.

Trello’s password requirement is that a password must have at least 8 characters.

Of the 1 billion known breached passwords checked, 82.9% meet Trello’s requirement of 8 characters in length. Trello does not stop to use of the word Trello in the password creation, which resulted in 1454 passwords in the analyzed dataset.

4. Stack Overflow

Stack Overflow, a public forum where developers go to learn and share knowledge, employs more complexity in its password policy, which blocks nearly half (46%) of the 1 billion compromised passwords analyzed. Stack Overflow does not appear to offer 2FA or perform a compromised password check.

Stack Overflow’s password requirements:

Passwords must contain at least eight characters, including at least 1 letter and 1 number

Stack Overflow does not block the use of the service name in passwords, resulting in compromised passwords such as stackoverflow1993, stackoverflow1, and stackoverflow1111 being allowed.

5. Mailchimp

Email marketing service, Mailchimp, is the best performing of the work-related services analyzed and blocked 98% of known compromised passwords. This is thanks to enforcing a complex password policy, although it is likely this level of complexity can cause other poor password behaviors such as password reuse and passwords being written down. Mailchimp does not require 2FA, perform a compromised password check or block the use of the word mailchimp in passwords.

Mailchimp’s password requirements:

One lowercase character
One uppercase character
One number
One special character
8 characters minimum

While Mailchimp would successfully block 98.7% of known breached passwords based on the password requirements alone, the fact that the service doesn’t check for compromised passwords means that Password1!, a password that appears on Specops Breached Password Protection, is allowed.

When you’re trusting any company information to 3rd party websites or applications you’re putting that data at risk of a breach. It’s vital to fully vet the vendors you plan on doing business with, especially when they’re housing business-critical data like payment information, code, or sensitive user data.

First things first, make sure your organization isn’t exposed to known breached passwords with a tool like Specops Password Policy, which blocks over 2 billion leaked passwords and counting all in real-time. You can test it out for free in your Active Directory to put your clients and IT department’s mind at ease.

Next steps include looping in your end-users to make sure they’re vetting these 3rd party sites with the IT department before setting up company accounts. Establish a process for downloading or employing web apps that is a standard part of your operating principles. Make sure end-user education includes the risks of trusting your data with an untrustworthy host.

Finally, it’s time to consider using a password manager. With password policies baked in, shared vaults for more secure collaboration, and password generators that create and store secure options, they’re a great alternative to putting the responsibility into your end-users hands.

Sponsored by Specops

Adblock test (Why?)