An analysis of 120 of the world’s top English-language websites found that many of them allow weak passwords, including easily guessable ones like “abc123456” and “P@$$w0rd”.
June 23, 2022
Three quarters of the world’s most popular English-language websites still allow users to choose the most common passwords, such as “abc123456” and “P@$$w0rd”.
More than half of the top 120 websites also allow all 40 of the most leaked and easy-to-guess passwords. The sites include popular shopping portals like Amazon and Walmart, social media app TikTok, video streaming site Netflix, and company Intuit, maker of tax reporting software TurboTax, used by millions of people in the United States.
Amazon tells New scientist that it recommends users set up two-step verification and that the company “may require additional authentication requirements during sign-up” if it detects a security risk. Intuit chief architect Alex Balazs said he will study the results and highlighted Intuit’s use of multi-factor authentication and fraud detection. The other companies mentioned above did not respond New scientist‘s request for comment.
“It’s tempting to conclude that companies just don’t care about user security, but I don’t think that’s right…Having accounts hacked isn’t in their interest at all,” said Arvind Narayanan of Princeton University.
To conduct the analysis of English-language websites rated popular by various internet services, Narayanan and his colleagues manually checked 40 passwords on each website. Using each website’s password requirements, they selected 20 passwords from a random sample of the 100,000 most common passwords found in data breaches, along with the first 20 passwords guessed by a password-cracking tool.
Only 15 websites blocked all 40 tested passwords. These included Google, Adobe, Twitch, GitHub and Grammarly.
In 2017, the US National Institute of Standards and Technology published a set of recommendations for websites to follow, such as eight characters.
Only 23 of the 120 most popular websites use force gauges. In comparison, 54 websites still rely on password creation policies that have poor security and usability ratings, such as B. Requiring users to create complex passwords using a specific mix of uppercase and lowercase letters, numbers and symbols. Meanwhile, users can protect themselves by not reusing passwords for their online accounts.
“We definitely expected more websites to follow best practices,” says team member Kevin Lee, also at Princeton University. The team will present the findings at the Symposium on Usable Privacy and Security in August.
Researchers aren’t sure why so many popular websites still have subpar password policies. One possibility is that companies would rather spend money on other security measures because it can be difficult to measure the impact of improving password policies, says Sten Sjöberg, a Microsoft security program manager who studied at the University of Applied Sciences while attending Princeton University research has contributed.
The security area may also have a “little ratchet problem,” says Michelle Mazurek of the University of Maryland, who was not involved in the research. “It’s not easy to undo a protection like requiring frequent password changes, even if it’s scientifically proven that it’s not beneficial because nobody wants to be held responsible if something goes wrong later.”
More on these topics: