A comprehensive cybersecurity study conducted by researchers at Georgia Tech has revealed that three out of four of the world's most popular websites are jeopardizing the security of tens of millions of users by falling short of basic password requirement standards.
The study, led by Assistant Professor Frank Li and Ph.D. student Suood Al Roomi from Georgia Tech's School of Cybersecurity and Privacy, utilized an automated tool to assess the password creation policies of websites.
This tool, a first of its kind, examined the Google Chrome User Experience Report (CrUX), a vast database comprising 1 million websites and pages.
(Photo : Leon Neal/Getty Images)
LONDON, ENGLAND - AUGUST 09: In this photo illustration, A woman is silhouetted against a projection of a password log-in dialog box on August 09, 2017 in London, England. With so many areas of modern life requiring identity verification, online security remains a constant concern, especially following the recent spate of global hacks.
Key Findings
The researchers, whose project was 135 times larger than previous efforts relying on manual methods, discovered alarming deficiencies in password policies across a sample of 20,000 websites from the CrUX database. Key findings include:
1. Inadequate Password Length Requirements: A significant number of websites permitted very short passwords, with over half accepting passwords with six characters or fewer. Furthermore, 75% of the websites failed to implement the recommended minimum of eight characters.
2. Lack of Common Password Blocking: A mere 12% of the websites enforced a password block list, leaving over 17,000 sites vulnerable to password spraying attacks, where cybercriminals attempt to access user accounts using common passwords.
3. Outdated Requirements: Many websites were found to be using outdated password creation guidelines from 2004, lacking the security measures recommended by more recent standards.
4. Absence of Length Requirements: Alarmingly, 12% of the websites in the study did not have any password length requirements, potentially exposing users to increased security risks.
The automated tool, developed by Al Roomi and Li, utilized machine learning to assess the consistency of length requirements, restrictions on characters, acceptance of spaces and special characters, and the implementation of password block lists.
The tool also analyzed whether sites allowed dictionary words or known breached passwords.
Read Also: Secure Your Passwords While Donating to Charity Through The 'LastPass' Password Manager App
Real-world Adoption of Security Solutions
Professor Li emphasized the importance of investigating the real-world adoption of security solutions and guidelines, stating, "It's crucial that we investigate whether those solutions or guidelines are actually adopted in practice to understand whether security is improving in reality."
The project was initiated during the peak of the pandemic and aimed to address a gap in the research literature regarding website password policies. The findings highlight the need for increased vigilance and adherence to contemporary security measures in the face of evolving cyber threats.
In related news, NordPass has recently unveiled the most common passwords in 2023 and to no one's surprise, favorites like "123456" and "password" continue to dominate.
Despite repeated warnings from cybersecurity experts suggesting users to adopt stronger password practices, outdated practices still persist.
Check this story to learn more.
Related Article: Passwords Should Exceed 8 Characters For Heightened Security, Researchers Suggest | Here's Why
