Even after the Heartbleed bug, some of the most popular websites aren't taking password security seriously, according to a study.
More than 80 percent of websites that were examined had subpar password security standards, according to Dashlane's Password Security Roundup report published Tuesday.
Dashlane, a password management company, examined 80 websites across six categories: dating, e-commerce, travel, productivity, social utilities and security.
Pawel Kopczynski / Reuters, file
Password security standards were found to be lacking at most websites examined by Dashlane.
Overall, 51 percent did not lock accounts after 10 incorrect password entries, 43 percent accepted the most commonly used passwords such as "password" or "123456" and 86 percent did not meet the requirements to score high enough to be considered adequately safe, Dashlane said.
The way the sites were ranked allowed for them to score between minus 100 to 100. To be considered to have an adequate password policy a website needed a score of 50.
What sites ranked the lowest?
Match.com had the worst password policies, followed by Hulu and Overstock, which both tied for second worst.
Match.com, for example, allowed users to create an account by using only the letter "a" as a password, the study said.
Other sites that scored poorly included Amazon, Groupon, Orbitz, and Victoria's Secret. CNBC requested comment from these companies via email when this embargoed story was released.
"We have always taken the security of our website and customer's personal information very seriously, and certainly long before this list was released," an Orbitz spokeswoman said, via email. "Password security does not necessarily guarantee website security, so we implement a series of industry standard security measures to keep our customer's information safe." She noted that customers can use passwords as long as 32 characters.
The site that scored the highest was Apple. The iPhone maker had a perfect score of 100. Hotmail came in second, followed by the Microsoft Store website and UPS.
To see all the scores of the sites that were measured, check out the report on Dashlane's website.
First published May 20 2014, 2:55 PM