Industry Leaders Security Rankings: Personal Email Services Edition
- ブログ
- Industry Leaders Security Rankings: Personal Email Services Edition
Nearly everyone uses a personal email service, which is why it’s particularly important that email services easily utilize strong and unique passwords. Bitwarden recently examined the top 5 personal email services (ranked by total users; they are Gmail; Yahoo! Mail; Microsoft Outlook; iCloud; AOL). The criteria used and the numerical grading system is the same as our previous entries examining industry leaders' security rankings.
Is your personal email service password-friendly? We explore further below.
The criteria used to assess password security are:
Does the email service allow passwords that are at least 40 characters?
Experts advise passwords be strong and unique, with strength being best determined by long, random passwords. In our note on How secure is my password we share, "Short passwords are far more susceptible to a brute force attack, where a computer or malicious software program goes through every 8-digit combination (or more) of characters until it finds a match."
For the purpose of this exercise, we’re specifically evaluating whether organizations allow users to create passwords that are at least 40 characters - a number we settled on because passphrases, which are increasingly popular, tend to be quite long. Plus, password managers - which help people generate, store, and manage passwords - can generate much longer passwords for enhanced security that may exceed the limit.
Does the email service allow users to paste and autofill passwords?
This is a good thing. Password pasting enables the use of password managers, and autofill enables fast and easy logins.
Does the email service offer two-factor authentication (2FA)?
This is a good thing. As we’ve said time and time again, two-factor authentication is more secure than simply using a username and password.
Does the email service allow authenticator apps?
Does the email service allow authenticator hardware?
These are both good. Authenticator apps and hardware add extra levels of strong protection and are more secure than SMS text messages.
Does the email service send an email informing the user of a password reset?
Does the email service require the user to login again using the new password?
These are both practical steps. It’s prudent to alert users to a password change they may not have authorized. Requiring them to login again is a security best practice.
The assessment includes a grade for each company. To determine the grade, we assigned either an ✅ (good) and an ⛔ (not good) to the seven questions articulated above. For example, 7/7 ✅ is a perfect score, or 100%. A 5/7 is 71%, which is defined as ‘fair’’.
Below is a simple guide to the grading. Below that, you’ll see the grades for each bank.
85-100%: Good
71-84%: Fair
0-70%: Room for Improvement
Coming in hot with a perfect score is the wildly popular Gmail which brings it home in every category. Password pasting? Check. 2FA? Check. Authenticator hardware? Check. When it comes to password security, the folks over in Mountain View are doing something right.
Password Security: Good
✅ Allows passwords that are ≥ 40 characters
✅ Allows users to paste passwords
✅ Offers two-factor authentication
✅ Allows authenticator apps
✅ Allows authenticator hardware
✅ Informs users of password reset
✅ Requires login using new password
PASSWORD SECURITY SCORE: 100%
Also performing well is Yahoo Mail. While it has since been usurped by Google in overall popularity, it meets nearly every best practice we’ve identified.
Password Security: Good
✅ Allows passwords that are ≥ 40 characters
✅ Allows users to paste passwords
✅ Offers two-factor authentication
✅ Allows authenticator apps
✅ Allows authenticator hardware
✅ Informs users of password reset
⛔ Does not require login using new password
PASSWORD SECURITY SCORE: 85%
Microsoft Outlook continues the password security winning streak, with a 6/7 in the scoring department. Authenticator hardware notwithstanding, its security criteria is robust.
Password Security: Good
✅ Allows passwords that are ≥ 40 characters
✅ Allows users to paste passwords
✅ Offers two-factor authentication
✅ Allows authenticator apps
⛔ Does not allow authenticator hardware
✅ Informs users of password reset
✅ Requires login using new password
PASSWORD SECURITY SCORE: 85%
iCloud puts an end to the ‘Good’ streak, coming in with a 71% score. In this case, Apple doesn’t allow for authenticator apps and does not require users to login again using a new password.
Password Security: Fair
✅ Allows passwords that are ≥ 40 characters
✅ Allows users to paste passwords
✅ Offers two-factor authentication
⛔ Does not allow authenticator apps
✅ Allows authenticator hardware
✅ Informs users of password reset
⛔ Does not require login using new password
PASSWORD SECURITY SCORE: 71%
While it may come as a surprise, 90s email favorite AOL is still alive and kicking. It’s also doing a nice job on the password security front, with a nearly-perfect score.
Password Security: Good
✅ Allows passwords that are ≥ 40 characters
✅ Allows users to paste passwords
✅ Offers two-factor authentication
✅ Allows authenticator apps
✅ Allows authenticator hardware
✅ Informs users of password reset
⛔ Does not require login using new password
PASSWORD SECURITY SCORE: 85%
Unlike other services (we’re talking to you, streaming services!), the personal email services evaluated here are pretty buttoned up when it comes to password security. As they should be. The amount of data flowing in and out of these services is just tremendous. At times, it's personal and proprietary information.
While consumers can take a little bit of solace in this, they should still prioritize the use of strong and unique passwords (and different passwords for each site, as password reuse can compromise multiple data sources). They should also deploy 2FA solutions where available.
So, how did your favorite email service perform? Follow Bitwarden on Twitter and let us know.
Ready to get started with a password manager today? Quickly get set up with a free Bitwarden account, or sign up for a 7-day free trial of our business plans so your business and company colleagues can stay protected.
Catch up on the rest of the series to see how the top companies in the following industries fare when it comes to allowing consumers to utilize strong passwords: