Groupon and Orbitz fell seriously short of adequate password security, according to a recent study.

The two Chicago-based companies tied for 74th least secure out of 83 websites the password management company Dashlane studied. The report found that Groupon allowed people to use “password” as a password, did not lock accounts after 10 incorrect logins, did not send a change of password confirmation email, and did not provide an on-screen password strength meter. Orbitz was found to have the same shortcomings except it did send users a password confirmation email, Dashlane said.

According to the report, 86 percent of the websites that were studied did not score high enough to be considered adequately safe. Just over 51 percent did not lock accounts after 10 incorrect logins, and 43 percent allowed passwords such as “123456” and “password.”

The websites were measured on a scale from 100 to minus 100, with 50 being an adequate score. Groupon and Orbitz were both at -45.

Chicago-based GrubHub was also evaluated in the study with a score of 7.5. While not being considered “adequate” by Dashlane’s standards, it at least had an on-screen password strength meter, sent a change of password email, and didn’t allow “password” as a password. It ranked 32nd best out of the 83 sites.

Match.com had the worst password security, according to the report. Overstock and Hulu tied for second worst.

Apple ranked first in the study with a perfect score of 100, followed by Windows Live/Hotmail, the Microsoft Store, and UPS.

Dashlane Password Manager - Security Roundup

Graphic via Dashlane