TY - GEN
T1 - Password policies of most top websites fail to follow best practices
AU - Lee, Kevin
AU - Sjöberg, Sten
AU - Narayanan, Arvind
N1 - Publisher Copyright:
© 2022 by The USENIX Association. All Rights Reserved.
PY - 2022
Y1 - 2022
N2 - We examined the policies of 120 of the most popular websites for when a user creates a new password for their account. Despite well-established advice that has emerged from the research community, we found that only 13% of websites followed all relevant best practices in their password policies. Specifically, 75% of websites do not stop users from choosing the most common passwords - like "abc123456" and "P@$$w0rd", while 45% burden users by requiring specific character classes in their passwords for minimal security benefit. We found low adoption of password strength meters - a widely touted intervention to encourage stronger passwords, appearing on only 19% of websites. Even among those sites, we found nearly half misusing them to steer users to include certain character classes, and not for their intended purpose of encouraging freely-constructed strong passwords.
AB - We examined the policies of 120 of the most popular websites for when a user creates a new password for their account. Despite well-established advice that has emerged from the research community, we found that only 13% of websites followed all relevant best practices in their password policies. Specifically, 75% of websites do not stop users from choosing the most common passwords - like "abc123456" and "P@$$w0rd", while 45% burden users by requiring specific character classes in their passwords for minimal security benefit. We found low adoption of password strength meters - a widely touted intervention to encourage stronger passwords, appearing on only 19% of websites. Even among those sites, we found nearly half misusing them to steer users to include certain character classes, and not for their intended purpose of encouraging freely-constructed strong passwords.
UR - http://www.scopus.com/inward/record.url?scp=85135460650&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85135460650&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85135460650
T3 - Proceedings of the 18th Symposium on Usable Privacy and Security, SOUPS 2022
SP - 561
EP - 580
BT - Proceedings of the 18th Symposium on Usable Privacy and Security, SOUPS 2022
PB - USENIX Association
T2 - 18th Symposium on Usable Privacy and Security, SOUPS 2022
Y2 - 7 August 2022 through 9 August 2022
ER -