Password policies of most top websites fail to follow best practices

The information security research community has long established best practices for helping users create stronger passwords. We reverse engineered the password policies of popular websites and found that very few of them actually follow best practices.

Our peer-reviewed study was presented at the Symposium on Usable Privacy and Security (SOUPS) 2022
Read the paper (final version) »

Comparison of our key findings with best practices

Interventions Best practices from prior research Our key findings
Blocklists
  • Do check users' passwords against lists of leaked and easily-guessed passwords [1, 2, 3, 4].
  • Do reject the password if it appears on a blocklist, prompt the user to select a different password [1, 4].
  • More than half (71 / 120) of websites do not check passwords at all, allowing all 40 of the most common passwords we tested (e.g., "12345678", "rockyou").
  • 19 more websites block less than half of the most common passwords we tested.
Strength meters and minimum-strength requirements
  • Do provide real-time password strength estimates [5, 6, 7].
  • Do set minimum-strength requirements by estimating guessability (the number of guesses it would take for an adversary to crack the password) [3, 8, 9, 10, 11].
  • Only 23 / 120 websites used password strength meters.
  • Of those 23, 10 websites misuse meters as nudges toward specific types of characters and do not incorporate any notion of guessability.
Composition policies
  • Do not require specific character classes; let users freely construct passwords [2, 3, 7, 12].
  • NIST: Do set a minimum-length of at least 8 characters.
  • 54 / 120 sites still require specific character classes such as digits or special characters.
  • We devised a new method to measure the security and usability of composition policies. Based on our method, we found that all 120 policies performed poorly: none provided ≥ 60% security and usability simultaneously.