By Kevin Lee, Sten Sjöberg, and Arvind Narayanan
Compromised passwords have consistently been the number one cause of data breaches by far, yet passwords remain the most common means of authentication on the web. To help, the information security research community has established best practices for helping users create stronger passwords. These include:
Block weak passwords that have appeared in breaches or can be easily guessed.Use a strength meter to give users helpful real-time feedback. Don’t force users to include specific character-classes in their passwords.
While these recommendations are backed by rigorous research, no one has thoroughly investigated whether websites are heeding the advice.
In a new study, we empirically evaluated compliance with these best practices. We reverse-engineered the password policies at 120 of the top English-language websites, like Google, Facebook, and Amazon. We found only 15 of them were following best practices. The remaining 105 / 120 either leave users at risk for password compromise or frustrated from being unable to use a sufficiently strong password (or both). The following table summarizes our findings:
We compare our key findings with best practices from prior research.
We found that more than half of the websites allowed the most common passwords, like “123456”, to be used. Attackers can guess these passwords with minimal effort, which opens the door to account hijacking.
Amazon allowed us to change the password on our account to “11111111”, a common and easily-guessed password.
Few websites had adopted strength meters, and of those, we found websites misusing