In its third-quarter WebMonitor of participant websites, DALBAR focused on passwords, "driven by the growing national concern over cyber security that now requires plan fiduciaries take an active interest in how well participants' data and assets are being protected."

Here are the top 5:

1. TIAA: TIAA came out on top, by having the best password practices among leading retirement plan providers.

Not only does its Security Center provide details about how participants are protected, how they can protect themselves and how to recognize and report fraud, it also monitors password creation by presenting users with a visual requirement checklist that enables passwords to be created quickly but at the same time ensures that complexity requirements are met.

2. Principal Financial: Principal Financial, in second place, provides resources with insights into what the firm does to protect website users. It highlights measures users can take to protect themselves, provides current fraud/scam alerts and gives users a mechanism to report security concerns.

3. Wells Fargo: Wells Fargo, in third place, provides clear complexity requirements, as well as a listing of password do's and don'ts so that users can't go wrong.

4. Merrill Lynch: Merrill Lynch, in fourth place, "is among the top in Functionality and Usability," says DALBAR, adding that it "clearly lays out its password requirements and excels in its offering of resources geared toward guiding participants to operating safely while online."

5. VALIC: In fifth place for the first time, VALIC has a participant site that "houses a highly comprehensive security center." In addition, its password creation standard is the industry high for password length, the report says, capitalizing on the fact that longer passwords are stronger passwords.