A Georgia Tech cybersecurity study reveals that three out of four of the world’s most popular websites have inadequate password policies.
Researchers used an automated tool to assess password creation policies on one million websites and found that 12% lacked password length requirements.
Many sites allow very short passwords, don't block common passwords, and use outdated requirements like complex characters.
Only a few websites fully adhere to standard guidelines, while most follow outdated ones from 2004.
Over half of the studied websites accept passwords with six characters or less, with 75% not requiring the recommended eight-character minimum.
Around 12% of websites have no length requirements, and 30% don't support spaces or special characters.
Only 28% of websites enforce a password block list, making them vulnerable to password spraying attacks.
Researchers developed an algorithm that automatically determines a website's password policy, utilizing machine learning to analyze consistency in length requirements and restrictions.
The project, 135 times larger than previous works, aims to assess the actual adoption of security solutions and guidelines in web practices.
The full report will be presented at the ACM Conference on Computer and Communications Security in Copenhagen, Denmark.