Outdated Password Practices Are Putting Millions of Users at Risk - Study

The study used an automated tool to assess the password creation policies of websites.

A comprehensive cybersecurity study conducted by researchers at Georgia Tech has revealed that three out of four of the world's most popular websites are jeopardizing the security of tens of millions of users by falling short of basic password requirement standards.

The study, led by Assistant Professor Frank Li and Ph.D. student Suood Al Roomi from Georgia Tech's School of Cybersecurity and Privacy, utilized an automated tool to assess the password creation policies of websites.

This tool, a first of its kind, examined the Google Chrome User Experience Report (CrUX), a vast database comprising 1 million websites and pages.

Apple to Launch Passwords App for iPhone and Mac, Competing With 1Password and LastPass
Apple is developing a new app for iPhone and Mac called Passwords. Leon Neal/Getty Images

Key Findings

The researchers, whose project was 135 times larger than previous efforts relying on manual methods, discovered alarming deficiencies in password policies across a sample of 20,000 websites from the CrUX database. Key findings include:

1. Inadequate Password Length Requirements: A significant number of websites permitted very short passwords, with over half accepting passwords with six characters or fewer. Furthermore, 75% of the websites failed to implement the recommended minimum of eight characters.

2. Lack of Common Password Blocking: A mere 12% of the websites enforced a password block list, leaving over 17,000 sites vulnerable to password spraying attacks, where cybercriminals attempt to access user accounts using common passwords.

3. Outdated Requirements: Many websites were found to be using outdated password creation guidelines from 2004, lacking the security measures recommended by more recent standards.

4. Absence of Length Requirements: Alarmingly, 12% of the websites in the study did not have any password length requirements, potentially exposing users to increased security risks.

The automated tool, developed by Al Roomi and Li, utilized machine learning to assess the consistency of length requirements, restrictions on characters, acceptance of spaces and special characters, and the implementation of password block lists.

The tool also analyzed whether sites allowed dictionary words or known breached passwords.

Real-world Adoption of Security Solutions

Professor Li emphasized the importance of investigating the real-world adoption of security solutions and guidelines, stating, "It's crucial that we investigate whether those solutions or guidelines are actually adopted in practice to understand whether security is improving in reality."

The project was initiated during the peak of the pandemic and aimed to address a gap in the research literature regarding website password policies. The findings highlight the need for increased vigilance and adherence to contemporary security measures in the face of evolving cyber threats.

In related news, NordPass has recently unveiled the most common passwords in 2023 and to no one's surprise, favorites like "123456" and "password" continue to dominate.

Despite repeated warnings from cybersecurity experts suggesting users to adopt stronger password practices, outdated practices still persist.

Check this story to learn more.

Byline
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags:Password
Join the Discussion
Real Time Analytics