The password policies of too many websites fail to follow best practices says the University of Princeton. It recently investigated the website policies of 120 of the most popular English-language websites. The results are shocking. Only 13% (15/120) followed all relevant best practices in their password policies. It shows that the faster we move to a passwordless world, the better.
The research is being published in the Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022). It was carried out by Kevin Lee, Sten Sjöberg and Arvind Narayanan. They all work in the Department of Computer Science and Center for Information Technology Policy at Princeton University.
What did the research look for in password policies?
Lee, Sjöberg and Narayanan wanted to see how effective password creation policies (PCP) were. They set out to ask three questions:
- Are websites preventing users from using the most common passwords?
- Are websites using password strength meters to encourage strong passwords?
- What PCPs are used by top websites? What are the security-usability tradeoffs of those PCPs?
They also set out criteria for security:
- Allowed 5 or fewer of the 40 most common leaked passwords and easiest-to-guess passwords (e.g., “12345678”, “rockyou”)
- Required passwords be no shorter than 8 characters OR employed a password strength meter that accurately measured a password’s resistance to being guessed by an adversary
Finally, they addressed the issue of usability:
- Did not impose any character-class requirements.
It’s an interesting set of criteria to use and a set that will cause much discussion. One of the biggest discussion points is likely around special characters. The security industry has flip-flopped on this over the last decade. First, it was none. Then it was caps and numbers and a handful of special characters. Then it was a mix of all of them. Now it depends on whom you talk to.
However, the most interesting test is the ability to stop people from using commonly leaked passwords. All this requires is a password block list containing the most common passwords. While it sounds like common sense, it seems that few people do this. Even those that do, make a very limited effort.
Key findings from the research
The findings are not good news for many websites. The report states, “We found that only 15 websites were following best practices. The remaining 105 / 120 either failed to adhere or explicitly flouted those recommendations in their policies, leaving users at risk for password compromise or frustrated from being unable to use a sufficiently strong password.”
Among the websites that are doing a good job and met all the criteria are:
Google.com, yahoo.com, tumblr.com, theguardian.com, w3.org.com, twitch.tv and nine others. They passed all the tests and provided a strength meter for passwords. However, they were the exception.
Two of those criteria were blocking the 20 most leaked passwords and the 20 most easily guessable passwords. One company that met that criteria but failed due to the requirement for additional characters and no strength meter was github.
What was surprising was the extensive list of websites that allowed the 20 leaked passwords and the 20 easiest guessed passwords. Neither of these is particularly difficult to defend against. The sites that failed included:
Netflix.com, Amazon.com, zoom.us, amazonaws.com, nytimes.com, flickr.com, dropbox.com, cnn.com and forbes.com.
They were among more than 60 sites that spectacularly failed both two tests. All the remaining websites that failed did so with varying degrees of detection.
Also interesting was the number of sites requiring special characters. Many of the sites were using them as a criterion to harden passwords. They would almost certainly have felt this was a viable best practice. It will be interesting to see if any change their approach as a result of this report.
Enterprise Times: Why does this matter?
One key reason why this matters is that the researchers also noted where the sites hold payment and PII data. If a user’s account is compromised, that data can be easily misused. That compromise also has other ramifications for business users. Will IT departments note those sites catering to business users and implement new rules?
There are also many other ways this matters, and hopefully, it will create much debate.
We are still some way off from true passwordless systems, so passwords are here to stay. Many solutions out looking to change this are in the first phase. They will use a limited degree of passwordless, in some cases, to support password vault technology. Others will only apply it to certain sites.
How to design the perfect password system has always been a fertile area for discussion. Even though we are working quickly toward their elimination, there is still much to be done. Hopefully, this research will help improve the overall use of existing systems.