Kevin Lee, Sten Sjöberg, and Arvind Narayanan, Department of Computer Science and Center for Information Technology Policy, Princeton University
We examined the policies of 120 of the most popular websites for when a user creates a new password for their account. Despite well-established advice that has emerged from the research community, we found that only 13% of websites followed all relevant best practices in their password policies. Specifically, 75% of websites do not stop users from choosing the most common passwords—like "abc123456" and "P@$$w0rd", while 45% burden users by requiring specific character classes in their passwords for minimal security benefit. We found low adoption of password strength meters—a widely touted intervention to encourage stronger passwords, appearing on only 19% of websites. Even among those sites, we found nearly half misusing them to steer users to include certain character classes, and not for their intended purpose of encouraging freely-constructed strong passwords.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Kevin Lee and Sten Sj{\"o}berg and Arvind Narayanan},
title = {Password policies of most top websites fail to follow best practices},
booktitle = {Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022)},
year = {2022},
isbn = {978-1-939133-30-4},
address = {Boston, MA},
pages = {561--580},
url = {https://www.usenix.org/conference/soups2022/presentation/lee},
publisher = {USENIX Association},
month = aug
}
