These video-calling apps have the sketchiest security practices, according to researchers

Doxy.me is a telemedicine platform used by doctors and therapists. It got the lowest marks of Mozilla's evaluation because it's only hosted through web browsers — meaning security falls to browsers, rather than an in-house app — it's unclear how Doxy.me manages potential vulnerabilities, and its password requirements are low.

"Our researcher found that the weak password '123' was an acceptable password," Mozilla wrote. "This is all a bit frightening for a video call app targeted at doctors, therapists, and their potentially vulnerable patients."

Doxy.me founder Brandon Welch told Business Insider that the company is in the process of upping its password requirements. The company doesn't store any information — only hosts video calls — so it prioritized usability over maximum security for patients, Welch said. He added that most doctors verify new patients' identity by asking for information like their date of birth, similar to traditional doctor's offices.

While Mozilla researchers wrote that they were unable to determine how Doxy.me manages vulnerabilities, the company's security analyst, Pat Thompson, told Business Insider that it uses penetration testing and consults security researchers. Thompson said he's telling Mozilla about the measures and expects them to update their rating in response.

Read Mozilla's full report here.

Houseparty didn't meet Mozilla's baseline security standards, primarily because of its weak password standards.

"Password requirement is a minimum of 5 characters and the weak password of '12345' was accepted," Mozilla researchers wrote.

A Houseparty spokesperson told Business Insider that the company is improving its security.

"Houseparty maintains industry trusted encryption and security measures to protect customer data," the spokesperson said. "We are continuously reviewing and improving security practices at Houseparty and remind all of our users it's a best practice to use strong passwords."

Discord primarily hosts forums and group messages between large numbers of people, but it does also have built-in tools for private video calls. Mozilla acknowledges as much, but notes that Discord's privacy requirements are especially lax — its researchers were able to set "111111" as a password.

A Discord spokesperson told Business Insider that the company is working with Mozilla "to ensure they have all the information regarding our privacy and security features."

"Regarding passwords, we have updated our settings to prevent passwords that aren't complex enough or that have been previously compromised by another service from being used," the Discord spokesperson said. "In addition, we use a feature called IP Location Lock that provides deep protection for our users and encourage all our users to adopt two-factor authentication."

While FaceTime meets Mozilla's basic security requirements, the nonprofit dinged it for not requiring a password for person-to-person calls.

The business-focused video call app checks all the boxes in Mozilla's evaluation, but Mozilla dings its owner, Verizon, for opposing net neutrality, warning that it could theoretically throttle other video call apps on its network in favor of BlueJeans.

Microsoft Teams, which received top marks from Mozilla, has touted its security measures in the past month as its competitor Zoom faced a wave of scrutiny over Zoom-bombing attacks.

Messenger, which offers video chat, got a high score from Mozilla for its regular bug fixes, encryption, and password protections. However, Mozilla notes that Messenger's privacy policy states that it "can use the camera feature to collect data on you."

"Skype lets users blur their background for extra privacy, use real-time language translation and unlike some of the other apps on our list, call regular phone numbers," Mozilla's report reads. It also praises Skype's end-to-end encryption and strong password standards.