Largest Study of its Kind Shows Outdated

A Georgia Tech cybersecurity study reveals that three out of four of the world’s most popular websites have inadequate password policies.

[{"selector":"#anim-c35245d6-dc68-4a28-b763-f3bfae17268b [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-28.90818632202946%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] Researchers used an automated tool to assess password creation policies on one million websites and found that 12% lacked password length requirements.

[{"selector":"#anim-227c62b3-5863-4de2-84fd-b596c9bc15b8 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-31.148119859526236%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] Many sites allow very short passwords, don't block common passwords, and use outdated requirements like complex characters.

[{"selector":"#anim-becb5a24-b232-4310-9ae8-85e24e137626 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-31.249999886225726%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] Only a few websites fully adhere to standard guidelines, while most follow outdated ones from 2004.

[{"selector":"#anim-d59131a5-32fd-4669-a195-ca47552909de [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(0, 7.760782355151471e-15%, 0)","translate3d(0, 0%, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] Over half of the studied websites accept passwords with six characters or less, with 75% not requiring the recommended eight-character minimum.

[{"selector":"#anim-017ed2c8-7230-4f3f-a638-5aa5cba5e100 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-31.513885792425167%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] Around 12% of websites have no length requirements, and 30% don't support spaces or special characters.

[{"selector":"#anim-e8b6436a-d5b1-43b2-aaf8-3147807a1a26 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(31.03599637307466%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] Only 28% of websites enforce a password block list, making them vulnerable to password spraying attacks.

[{"selector":"#anim-cc198096-2c8b-4671-9372-583bd56510cd [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-31.233667133513382%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] Researchers developed an algorithm that automatically determines a website's password policy, utilizing machine learning to analyze consistency in length requirements and restrictions.

[{"selector":"#anim-643cbe32-29b4-421c-b847-cb6f7f093f60 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] The project, 135 times larger than previous works, aims to assess the actual adoption of security solutions and guidelines in web practices.

[{"selector":"#anim-bf93970a-837b-4b24-880d-35b81fc5256c [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(31.249999886225726%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The full report will be presented at the ACM Conference on Computer and Communications Security in Copenhagen, Denmark.