Cryptocurrency exchanges are woefully behind the times when it comes to forcing more complex password requirements on their customers. This vendor (which sells password management tools) tested the major exchanges for five simple criteria and found many don’t require alphanumeric passwords, send passwords in plain text emails, or don’t have any 2FA options.
Dashlane just announced the results of the first annual Cryptocurrency Exchange Password Power Rankings™. The rankings, which examined password and account security on 35 of the world’s most popular cryptocurrency exchanges, found that over 70% leave their users’ accounts perilously exposed to financial theft due to unsafe password practices.
Dashlane researchers tested each cryptocurrency exchange on five critical password and account security criteria. A site received a point for each criterion they met, for a maximum and passing score of 5/5. Any score below five was considered failing and not meeting the minimum threshold for good password security.
“Signing up for a cryptocurrency exchange is akin to signing up for a bank account,” states Emmanuel Schalit, CEO at Dashlane. “With your bank account, credit cards, bitcoin, and other digital assets potentially stored on the exchange, it’s critical that your account is locked down on the security front. The fact that most exchanges allow their users to create incredibly weak passwords should serve as a wake-up call to the entire industry.”
Critical Security Lapses
Despite the growing interest in cryptocurrencies, most of the leading exchanges fail to provide adequate password and account safeguards for their users. These inadequate levels of security leave the cryptocurrency holdings of millions of users in peril.
Dangerous Password Requirements: A staggering 43% of exchanges let users create accounts using passwords with seven or fewer characters, and 34% do not require alphanumeric passwords. Dashlane’s testers were repeatedly able to create accounts with weak passwords, such as “12345” and “password,” and in one case, using just the letter “a.”
Additionally, Dashlane found that less than 50% of exchanges provided users with password strength assessment tools during the account creation process.
Substandard Security: When compared to results of Dashlane’s 2017 rankings of leading consumer websites, the cryptocurrency exchanges performed poorly. In the consumer rankings, which examined sites such as Apple, Facebook, and PayPal, only 36% received a failing score. That is in stark contrast to the 71% of cryptocurrency exchanges that failed Dashlane 2018’s examination.
For an industry that prides itself in its cybersecurity innovations, the cryptocurrency exchanges are much weaker when it comes to password security than the average mainstream website.
Cryptocurrency Exchange Security Best Practices
It’s critical that the first thing you do when you log in to a new exchange is enable 2FA (two-factor authentication). Every legitimate exchange allows for 2FA, and there is no scenario where you should skip this step (check out Dashlane’s guide to buying Bitcoin safely).
For cryptocurrency and all digital accounts, these are a few easy actions that everyone should take to improve their own online security:
- Use a unique password for every online account
- Generate passwords that exceed the minimum of 8 characters
- Create passwords with a mix of case-sensitive letters, numbers, and special symbols
- Avoid using passwords that contain common phrases, slang, places, or names
- Use a password manager to help generate, store, and manage your passwords
The study was conducted by Dashlane researchers from March 12 – 19, 2018. The researchers evaluated five security criteria on 35 popular cryptocurrency exchanges. Only exchanges that allow users to create accounts with browsers were tested; those requiring a software or mobile app download were excluded. Dashlane tested each site a minimum of four times to confirm the accuracy of results. A site received a point for each criterion they met for a maximum score of 5/5. A score of 5/5 was deemed as passing and meeting the threshold for strong user password security. The rankings indicate the security levels of each exchange with regards to passwords and account protections only.
8+ Character Password
Tested by creating a new account on each website. Dashlane researchers attempted to create passwords less than 8 characters irrespective of the exchanges’ stated minimum password requirements.
Tested by creating a new account on each exchange. Researchers attempted to create passwords with all letters (“password”) or numbers (“111111”).
Password Strength Assessment
Tested by creating a new account on each exchange. If the exchange provided any notification, such as a meter or color-coded bar, they were credited as providing an assessment. Sites that only provided confirmed password length or where requirements were met did not receive credit.
Account Creation Email
An exchange was credited if they sent the user a confirmation or activation email after the account was created. If the exchange sent a password in plain text they did not receive credit.
Exchanges were credited if they provide any form of two-factor authentication.
|Exchange||8+ Char||Ltr & Num||Strength||2FA||Total Score|