News

Websites are terrible at implementing password best practices

Brendyn Lotz

27th November 2023

While users are often told to create strong, robust passwords, the website they may be using might not enforce that.
Analysis of 20 000 websites unearthed some alarming revelations about password policies including how 30 percent don’t support spaces or special characters.
Half of the websites analysed accept passwords six-characters or shorter in length.

As we know, humans are terrible at creating strong passwords but as it turns out, website operators may be partly to blame.

Researchers at Georgia Tech’s School of Cybersecurity and Privacy, assistant professor Frank Li and PhD student Suood Al Roomi have used an automated tool to assess the password creation policy of 20 000 websites and the results are alarming.

In their analysis, the researchers found that many websites permit the creation of short passwords, don’t block common passwords and use outdated requirements like complex characters.

“As a security community, we’ve identified and developed various solutions and best practices for improving internet and web security. It’s crucial that we investigate whether those solutions or guidelines are actually adopted in practice to understand whether security is improving in reality,” explains Li.

The researchers found that half of the websites analysed accept passwords with six characters or less and 75 percent do not require a password with a minimum of eight characters. Most alarming is that 30 percent of the websites analysed by the pair didn’t support the use of spaces or special characters in passwords.

In addition, Li and Al Roomi found that only 28 percent of websites enforced a password block list which prevents users from using common passwords that cybercriminals can compromise using brute force.

The researchers will present their findings at the ACM Conference on Computer and Communications Security happening in Denmark this week.

“It was exciting to see an identified challenge in the literature and to develop and apply a vision we turned into the measurement tool,” Al Roomi said of the research. “This research was my first in my Ph.D. program at Georgia Tech and SCP. It is one of the most challenging yet rewarding endeavors I’ve worked on.”

We often lament the fact that users don’t create strong passwords but if the websites they use aren’t forcing them to create stronger passwords and allowing users to use ‘123456’ to secure their banking profiles, that needs to change.

Bodies such as the National Insitute of Standards and Technology in the US publish guidelines about protecting digital identities but these are generally for federal agencies. When it comes to general websites however, it’s open season and we’d love to see a bit more responsibility from website owners when it comes to password creation policies.

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.