Password policies of most top websites fail to follow best practices

Kevin Lee, Sten Sjöberg, Arvind Narayanan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

16 Scopus citations

Abstract

We examined the policies of 120 of the most popular websites for when a user creates a new password for their account. Despite well-established advice that has emerged from the research community, we found that only 13% of websites followed all relevant best practices in their password policies. Specifically, 75% of websites do not stop users from choosing the most common passwords - like "abc123456" and "P@$$w0rd", while 45% burden users by requiring specific character classes in their passwords for minimal security benefit. We found low adoption of password strength meters - a widely touted intervention to encourage stronger passwords, appearing on only 19% of websites. Even among those sites, we found nearly half misusing them to steer users to include certain character classes, and not for their intended purpose of encouraging freely-constructed strong passwords.

Original languageEnglish (US)
Title of host publicationProceedings of the 18th Symposium on Usable Privacy and Security, SOUPS 2022
PublisherUSENIX Association
Pages561-580
Number of pages20
ISBN (Electronic)9781939133304
StatePublished - 2022
Event18th Symposium on Usable Privacy and Security, SOUPS 2022 - Boston, United States
Duration: Aug 7 2022Aug 9 2022

Publication series

NameProceedings of the 18th Symposium on Usable Privacy and Security, SOUPS 2022

Conference

Conference18th Symposium on Usable Privacy and Security, SOUPS 2022
Country/TerritoryUnited States
CityBoston
Period8/7/228/9/22

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Password policies of most top websites fail to follow best practices'. Together they form a unique fingerprint.

Cite this