Password policies of most top websites fail to follow best practices

The information security research community has long established best practices for helping users create stronger passwords. We reverse engineered the password policies of popular websites and found that very few of them actually follow best practices.

Our peer-reviewed study was presented at the Symposium on Usable Privacy and Security (SOUPS) 2022
Read the paper (final version) »

Findings

  • We examined the password policies of 120 of the most popular English-language websites in the world.
  • We considered a website to be following best practices if it satisfied the following security and usability criteria:
    • Security:
      • Allowed 5 or fewer of the 40 most common leaked passwords and easiest-to-guess passwords (e.g., "12345678", "rockyou") we tried.
      • Required passwords be no shorter than 8 characters OR employed a password strength meter that accurately measured a password's resistance to being guessed by an adversary.
    • Usability: Did not impose any character-class requirements (e.g. "at least one digit and one special character").
  • We found that only 15 websites were following best practices. The remaining 105 / 120 either leave users at risk for password compromise or frustrated from being unable to use a sufficiently strong password (or both).

Comparison of our key findings with best practices

Interventions Best practices from prior research Our key findings
Blocklists
  • Do check users' passwords against lists of leaked and easily-guessed passwords [1, 2, 3, 4].
  • Do reject the password if it appears on a blocklist, prompt the user to select a different password [1, 4].
  • More than half (71 / 120) of websites do not check passwords at all, allowing all 40 of the most common passwords we tested (e.g., "12345678", "rockyou").
  • 19 more websites block less than half of the most common passwords we tested.
Strength meters and minimum-strength requirements
  • Do provide real-time password strength estimates [5, 6, 7].
  • Do set minimum-strength requirements by estimating guessability (the number of guesses it would take for an adversary to crack the password) [3, 8, 9, 10, 11].
  • Only 23 / 120 websites used password strength meters.
  • Of those 23, 10 websites misuse meters as nudges toward specific types of characters and do not incorporate any notion of guessability.
Composition policies
  • Do not require specific character classes; let users freely construct passwords [2, 3, 7, 12].
  • NIST: Do set a minimum-length of at least 8 characters.
  • 54 / 120 sites still require specific character classes such as digits or special characters.
  • We devised a new method to measure the security and usability of composition policies. Based on our method, we found that all 120 policies performed poorly: none provided ≥ 60% security and usability simultaneously.

Paper/Data

Read the paper » Slides »

For a breakdown of how each of the 120 websites fared on each of the criteria, see here.

We visited websites from October 2021 to December 2021. Researchers can download our data here, and view our call to research here.

Citation

@inproceedings{lee2022password,
	author = {Kevin Lee and Sten Sj{\"o}berg and Arvind Narayanan},
	title = {Password policies of most top websites fail to follow best practices},
	booktitle = {Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022)},
	year = {2022},
	isbn = {978-1-939133-30-4},
	address = {Boston, MA},
	pages = {561--580},
	url = {https://www.usenix.org/conference/soups2022/presentation/lee},
	publisher = {USENIX Association},
	month = aug,
}