Industry Leaders Security Rankings: Social Media Edition
- Blog
- Industry Leaders Security Rankings: Social Media Edition
If you’re reading this, chances are high you probably use some form of social media. You may even count yourself among the percentage of people who have had their accounts compromised. In a world in which over 3 billion people use social sites, opportunities are rife for cybercriminals to exploit password security vulnerabilities. Whether they can successfully do so depends on you, the user (for example, by using a strong password and two-factor authentication) and social media companies themselves, as they need to equip you with the tools to bolster password security.
Wondering how certain companies fare when it comes to offering security-first password policies? So were we. Relying on the same end user research driven approach we took with industry leading banks, we also recently evaluated the security-friendliness of social media password systems.
We again kept it to the top platforms (defined as most users) in the United States, which we identified as Facebook, Instagram, TikTok, and Snapchat.
For ease, we’ve recapped the criteria we used to assess password security below.
Does the social media company allow passwords that are at least 40 characters?
Experts advise passwords be strong and unique, with strength being best determined by randomness and length. In our note on How secure is my password we share: "Short passwords are far more susceptible to a brute force attack, where a computer or malicious software program goes through every 8-digit combination (or more) of characters until it finds a match."
For the purpose of this exercise, we’re specifically evaluating whether organizations allow users to create passwords that are at least 40 characters - a number we settled on because passphrases, which are increasingly popular, tend to be quite long. Plus, password managers - which help people generate, store, and manage passwords - can generate much longer passwords for enhanced security that may exceed the limit.
Does the social media company allow users to paste passwords?
This is a good thing. Password pasting enables the use of password managers, and autofill enables fast and easy logins.
Does the social media company offer two-factor authentication (2FA)?
This is a good thing. As we’ve said time and time again, two-factor authentication is more secure than simply using a username and password.
Does the social media company allow authenticator apps?
Does the social media company allow authenticator hardware?
These are both good. Authenticator apps and hardware add extra levels of strong protection and are more secure than SMS text messages.
Does the social media company send an email informing the user of a password reset?
Does the social media company require the user to log in again using the new password?
These are both practical steps. It’s prudent to alert users to a password change they may not have authorized. Requiring them to log in again is a security best practice.
The assessment includes a grade for each platform. To determine the grade, we assigned either ✅ (yes) or ⛔ (no) to the seven questions articulated above. For example, 7/7 is a perfect score, or 100% (sadly, no company received a perfect score!). A 5/7 is 71%, which is defined as Fair.
Below is a simple guide to the grading. Below that, you’ll see the grades for each company.
85-100%: Good
71-84%: Fair
0-70%: Room for Improvement
When it comes to end user password security friendliness, the almost-18-year-old Facebook leads the way.
We might be able to chalk this up to years of experience and events that forced the company to learn the hard way. The company almost nets a perfect score - and with almost 3 billion monthly active users, one would hope it facilitates the opportunity for strong passwords.
Password Security: Good
✅ Allows passwords ≥ 40 characters
✅ Allows users to paste passwords
✅ Offers two-factor authentication
✅ Allows authenticator apps
✅ Allows authenticator hardware
✅ Informs users of password reset
⛔ Does not require login using new password
PASSWORD SECURITY SCORE: 85%
Instagram, another Meta production, also makes a strong showing. The company has been around for almost 12 years, so it’s overdue in making the transition to allow authenticator hardware.
Password Security: Fair
✅ Allows passwords ≥ 40 characters
✅ Allows users to paste passwords
✅ Offers two-factor authentication
✅ Allows authenticator apps
⛔ Does not allow authenticator hardware
✅ Informs users of password reset
⛔ Does not require login using new password
PASSWORD SECURITY SCORE: 71%
A relatively young company, by social media standards, TikTok has a ways to go when it comes to end user password security friendliness.
It makes the cardinal errors of limiting password length and not offering 2FA. Authenticator apps and hardware aren’t an option, and it doesn’t take the simple step of informing users of a password reset.
Password Security: Room for Improvement
⛔ Does not allow passwords ≥ 40 characters
✅ Allows users to paste passwords
⛔ Does not offer two-factor authentication
⛔ Does not allow authenticator apps
⛔ Does not allow authenticator hardware
⛔ Does not inform users of password reset
✅ Requires login using new password
PASSWORD SECURITY SCORE: 28%
Snapchat’s tenure (10+ years) means there should be more progress on the authentication front.
Password Security: Room for Improvement
✅ Allows passwords ≥ 40 characters
✅ Allows users to paste passwords
✅ Offers two-factor authentication
✅ Allows authenticator apps
⛔ Does not allow authenticator hardware
⛔ Does not inform users of password reset
⛔ Does not require login using new password
PASSWORD SECURITY SCORE: 57%
Like Facebook, the 17-year-old YouTube comes out on top. This is helped by the fact that users sign into YouTube with their Google Accounts, so a user’s YouTube password is the same as his or her Google Account password.
Google has smart and strong password requirements in place. Its forward-thinking approach towards authenticator apps and hardware sets it apart, as does its common-sense practices related to basic password housekeeping such as informing users of password resets.
Password Security: Good
✅ Allows passwords ≥ 40 characters
✅ Allows users to paste passwords
✅ Offers two-factor authentication
✅ Allows authenticator apps
✅ Allows authenticator hardware
✅ Informs users of password reset
✅ Requires login using new password
PASSWORD SECURITY SCORE: 100%
There are a few patterns here. First, the older the company, the more likely they are to facilitate opportunities for end user password security. With one exception, these companies don’t limit password length and offer two-factor authentication.
When it comes to deficiencies, more companies need to take a page from Facebook and allow the use of both authenticator apps and authenticator hardware. They should also inform their users each time their passwords are reset. This is not hard and could pay off in dividends.
A strong social media password is important. Social media accounts usually hold a treasure trove of personal information that could be used for more sophisticated cyber-related attacks, such as social engineering and identity theft. And given how much people tend to disclose on social media, password breaches could also compromise one’s physical security.
How did your social media favorites perform? Follow Bitwarden on Twitter and let us know.
Ready to get started with a password manager today? Quickly get set up with a free Bitwarden account, or sign up for a 7-day free trial of our business plans so your business and colleagues can stay protected.
Catch up on the rest of the series to see how the top companies in the following industries fare when it comes to allowing consumers to utilize strong passwords: