The Bitwarden Blog

Industry Leaders Security Rankings: Health and Fitness Apps

B
authored by:Bitwarden
posted:
Link Copied!
  1. Blog
  2. Industry Leaders Security Rankings: Health and Fitness Apps

Do fitness applications allow consumers to easily utilize strong and unique passwords? Bitwarden recently examined just that in its review of the top 5 health and fitness applications, as ranked by app usage: Nike Run Club, Planet Fitness, Calm, Fitbit, and My Fitness Pal. 

Fitness app revenue skyrocketed between 2016 and 2021, no doubt in part due to pandemic-induced gym closures. Research and Markets anticipates the fitness app market will grow to $23.98 billion by 2026.

Similar to the other industries evaluated by Bitwarden (such as banking, e-commerce, TV streaming) there’s a good chance consumers utilize multiple health and fitness applications. They’re probably being used cross-platform (on laptops, tablets, and phones) and likely involve the storage of financial information. This makes the need for strong and unique passwords all the more urgent. 

Are your health and fitness applications password-friendly? We explore further below. The criteria used and the numerical grading system is the same as our previous entries for banks, social media, TV streaming, personal email services, and e-commerce

Criteria

The criteria used to assess password security are:

Does the health and fitness app allow passwords that are at least 40 characters?

Experts advise passwords be strong and unique, with strength being best determined by long, random passwords. In How secure is my password we note, "Short passwords are far more susceptible to a brute force attack, where a computer or malicious software program goes through every 8-digit combination (or more) of characters until it finds a match."

For the purpose of this exercise, we’re specifically evaluating whether organizations allow users to create passwords that are at least 40 characters - a number we settled on because passphrases, which are increasingly popular, tend to be quite long. Plus, password managers - which help people generate, store, and manage passwords - can generate much longer passwords for enhanced security that may exceed the limit. 

Does the health and fitness app allow users to paste and autofill passwords?

This is a good thing. Password pasting enables the use of password managers, and autofill enables fast and easy logins

Does the health and fitness app offer two-factor authentication (2FA)?

This is a good thing. As we’ve said time and time again, two-factor authentication is more secure than simply using a username and password. 

Does the health and fitness app allow authenticator apps?

Does the health and fitness app allow authenticator hardware?

These are both good. Authenticator apps and hardware add extra levels of strong protection and are more secure than SMS text messages. 

Does the health and fitness app send an email informing the user of a password reset?

Does the health and fitness app require the user to login again using the new password?

These are both practical steps. It’s prudent to alert users to a password change they may not have authorized. Requiring them to login again is a security best practice

Password Security Scoring System

The assessment includes a grade for each company. To determine the grade, we assigned either an ✅ (good) and an ⛔ (not good) to the seven questions articulated above. For example, 7/7 ✅ is a perfect score, or 100%. A 5/7 is 71%, which is defined as ‘fair’’.

Below is a simple guide to the grading. Below that, you’ll see the grades for each bank.

Grading Guide

85-100%: Good

71-84%: Fair 

0-70%: Room for Improvement

Nike Run Club

Nike Run Club

While Nike Run Club scores points for its password length and password pasting policies, it falls short in a few important areas. At the very least, it should be enabling users to utilize 2FA. 

Password Security: Room for Improvement

✅ Allows passwords ≥ 40 characters

✅ Allows users to paste passwords 

⛔ Does not allow two-factor authentication

⛔ Does not allow authenticator apps 

⛔ Does not allow authenticator hardware 

✅ Informs users of password reset 

⛔ Does not require login using new password

PASSWORD SECURITY SCORE: 42%

Planet Fitness

Planet Fitness

Similar to NRC, the Planet Fitness app does not limit password length and allows users to paste passwords. But, it also drops the ball when it comes to 2FA and doesn’t take the necessary step of informing users of a password reset. 

Password Security: Room for Improvement

✅ Allows passwords ≥ 40 characters

✅ Allows users to paste passwords 

⛔ Does not allow two-factor authentication

⛔ Does not allow authenticator apps 

⛔ Does not allow authenticator hardware

⛔ Does not inform users of password reset

✅ Requires login using new password

PASSWORD SECURITY SCORE: 42%

Calm

calm

Calm pulls ahead of the pack with a slightly more favorable password management landscape. While it does not enable 2FA, it informs users of password resets and requires they login again with their new passwords (along with allowing for unlimited passwords and allowing users to paste passwords).

Password Security: Room for Improvement

✅ Allows passwords ≥ 40 characters

✅ Allows users to paste passwords 

⛔ Does not allow two-factor authentication

⛔ Does not allow authenticator apps 

⛔ Does not allow authenticator hardware 

✅ Informs users of password reset 

✅ Requires login using new password 

PASSWORD SECURITY SCORE: 57%

FitBit

fitbit

You might think a Google-owned company would score a little higher than 42%, yet that’s where FitBit lands. Its fundamentals - refusing to limit password length, allowing users to paste passwords, and offering 2FA - are sound. But, it could do better in the ‘nice to have’ categories. 

Password Security: Room for Improvement

✅ Allows passwords ≥ 40 characters

✅ Allows users to paste passwords 

✅ Offers two-factor authentication

⛔ Does not allow authenticator apps 

⛔ Does not allow authenticator hardware 

⛔ Does not inform users of password reset 

⛔ Does not require login using new password

PASSWORD SECURITY SCORE: 42%

My Fitness Pal

My Fitness Pal

Continuing the “42%” trend is My Fitness Pal, which falters in the 2FA, authenticator apps/hardware, and requiring login categories. If My Fitness Pal wanted to make improvements, it should start by enabling 2FA and go from there. 

Password Security: Room for Improvement

✅ Allows passwords ≥ 40 characters

✅ Allows users to paste passwords 

⛔ Does not allow two-factor authentication

⛔ Does not allow authenticator apps 

⛔ Does not allow authenticator hardware 

✅ Informs users of password reset 

⛔ Does not require login using new password

PASSWORD SECURITY SCORE: 42%

Conclusion

When it comes to password security protocols, health and fitness apps make a pretty dismal showing. The bottom line? Consumers who are using these services should prioritize using strong and unique passwords (and different passwords for each site, as password reuse can compromise multiple data sources) whenever they can. This first line of defense will go a long way towards protecting data. 

Remembering a bunch of passwords (according to Bitwarden’s 2022 World Password Day Survey, 55% of global consumers rely on memory to manage their passwords) is tricky to say the least. Use a password manager, which allows users to generate, store, and secure data in an end-to-end encrypted vault. 

Utilizing 2FA would be our second suggestion, so we’re hoping the other apps reviewed here take a page from FitBit and get in on the multi-factor game. 

So, how did your favorite health and fitness app perform? Follow Bitwarden on Twitter and let us know.

Get Started with Bitwarden

Ready to get started with a password manager today? Quickly get set up with a free Bitwarden account, or sign up for a 7-day free trial of our business plans so your business and company colleagues can stay protected.

Industry Leaders Security Rankings Series

Catch up on the rest of the series to see how the top companies in the following industries fare when it comes to allowing consumers to utilize strong passwords:

Link Copied!
Back to Blog

Get started with Bitwarden today.

Create your free account

Level up your cybersecurity knowledge.

Subscribe to the newsletter.


© 2024 Bitwarden, Inc. Terms Privacy Cookie Settings Sitemap

This site is available in English.
Go to EnglishStay Here