The information security research community has long established best practices for helping users create stronger passwords. We reverse engineered the password policies of popular websites and found that very few of them actually follow best practices.
Interventions | Best practices from prior research | Our key findings |
---|---|---|
Blocklists
|
|
|
Strength meters and minimum-strength requirements
|
|
|
Composition policies
|
|
For a breakdown of how each of the 120 websites fared on each of the criteria, see here.
We visited websites from October 2021 to December 2021. Researchers can download our data here, and view our call to research here.
@inproceedings{lee2022password,
author = {Kevin Lee and Sten Sj{\"o}berg and Arvind Narayanan},
title = {Password policies of most top websites fail to follow best practices},
booktitle = {Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022)},
year = {2022},
isbn = {978-1-939133-30-4},
address = {Boston, MA},
pages = {561--580},
url = {https://www.usenix.org/conference/soups2022/presentation/lee},
publisher = {USENIX Association},
month = aug,
}