How secure are web services? A new study conducted by password management service Dashlane analyzed 40 popular online portals and found that, in most cases, password policy doesn’t match expectations of consumer protection.

Using a set of five sample rules, the Dashlane study found that most companies came up short in at least one area — with some even allowing abysmal password options such as “aaaa” to access user accounts. Here’s a look at the breakdown.

Breaking the Rules

As noted by Bleeping Computer, Dashlane used five rules to evaluate password protection potential:

1. Does the website require user passwords of at least eight characters?
2. Does the site require a combination of letters, numbers and symbols?
3. Does the website offer an on-screen password strength meter?
4. Does the site provide brute-force protection?
5. Does the service provide two-factor authentication?

Of all services surveyed, only Stripe, QuickBooks and GoDaddy came up with all five, while popular sites such as Amazon, Dropbox, Google and LinkedIn struggled in specific areas. For example, Amazon and Google let researchers create passwords using only the lowercase letter “a,” while Netflix and Spotify allowed “aaaa” as a viable password.

Other sites, such as Twitter, Venmo and Walmart, didn’t offer brute-force protection, and the study found that 51 percent of consumer sites did not require passwords of eight characters or more. Also worth noting? Seventy-six percent of consumer sites and 72 percent of enterprise sites did not have on-screen password strength meters, while 32 percent of consumer sites lacked two-factor authentication.

Taking a Pass on Passwords

Ubiquity and ease of use means that despite inherent security flaws, passwords aren’t going anywhere — but a shift is underway. For example, Popular Science recommended that users avoid passwords such as “123456” or “password,” both of which made the list of most popular passwords in 2016. It then suggested that a solid password policy should require at least 10 characters.

But according to The Verge, password guru Bill Burr, who popularized password practices such as using numbers and special characters, said that these methods actually aren’t that effective when it comes to keeping accounts safe. Despite calls for random, character-variable passwords, users often employ the same techniques to randomize their credentials, making it easier for attackers to gain access.

So what does a secure password look like? As noted by MSPmentor, the new NIST Special Publication 800-63 recommended that users create passwords that are unique, easy to remember and at least eight characters long. The publication also suggested that users should shelve advice about changing passwords regularly, since this requirement often leads them to choose simple passwords that are only slight variations of their original choice.

In addition, enterprises should implement password-checking technology that automatically rejects common passwords. There’s also research to suggest that longer passwords containing a series of unique, memorable words offer much greater defense against automated brute-force cracking methods.

Finding the Password Policy Balance

Consumer and corporate password policies aren’t perfect. As noted by the Dashlane research, some companies come up short, and even those offering maximum protection are undermined by the inherently insecure nature of password-based credentials. Ideally, web services and corporate portals need to find a balance between on-screen assurances of strength and password rules that help deter threat actors without unduly inconveniencing users.

For companies, this actually amounts to good news: Fewer password changes mean fewer headaches for IT experts and reduced stress on employees. Not to mention, a shift away from special character combinations gives users a better shot at coming up with something that actually offers protection.

Bottom line? Passwords such as “aaaa” are awful, but “P@s5W0rd!” isn’t much better. Letting users choose longer passwords they’ll actually remember and only demanding changes in the event of an actual breach could help shore up password policy without creating new protection problems.