Study Reveals Top Websites Fail to Follow Password Best Practices

A peer-reviewed study conducted by researchers at Princeton University explored the password policies of the most popular English Language websites and found that only 13% of the websites followed all appropriate best practices.

The researchers reverse-engineered the password policies of 120 of the leading websites based on visitor numbers and sought to establish whether password best practices were being followed. They attempted to set 40 of the most commonly leaked passwords for accounts, such as abc123456 and [email protected]$$w0rd, determined if the websites imposed any character-class requirements (at least one upper- and lower-case letter, number, symbol), and if a password strength meter was provided to help users set strong passwords OR if they allowed passwords of less than 8 characters.  Only 15 of the 120 websites followed all of these best practices. 105 of the websites failed on one or more of those requirements, which put users at risk of password compromise.

59% of the websites did not perform any checks of passwords, which meant that all 40 of the commonly used passwords were permitted. 75% of the websites did not prevent users from setting more than half of the tested weak passwords. Only 19% of the websites used password strength meters, and 10 of the 23 websites that did have password strength meters nudged users toward specific types of characters and did not incorporate any notion of guessability.

The latest password advice from NIST is not to force users to set passwords containing specific character classes, as while this does in theory force users to create strong passwords, in practice this requirement weakens passwords as people tend to take shortcuts and use easily guessable passwords. 45% of the tested websites forced users to use certain character sets. All password policies for the 120 websites were found to perform poorly for security and usability.

Please see the HIPAA Journal Privacy Policy

A password is often all that stands between a malicious actor and highly sensitive data. It is therefore important for website owners to follow password best practices to help users secure their accounts. You can view the researchers’ recommended password practices here. The findings of the study will be presented at the Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) next month.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.