We illuminate the state of modern password creation policies at scale for the first time
Our peer-reviewed study was presented at the Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Contrary to modern standards advocating for longer minimum length requirements, acceptance of short passwords is widespread, with over half of the sites allowing passwords of six characters or shorter. The minimum password length of five was the most prevalent, on nearly 40% of sites, and overall, 75% of sites allowed passwords shorter than the recommended eight characters.
The most popular policy we found accepted passwords of any length without constraints (8.3% of sites), and overall, 12% of websites accepted single-character passwords, many of which were influenced by the default behavior of the adopted framework.
Only a minority of websites employ password blocklists, with approximately 12% to 28% of sites (depending on ranking) implementing this security measure. Among sites allowing popular passwords, 39% accepted the top password '123456', and nearly half accepted one of the top four passwords ('123456', '123456789', 'qwerty', 'password').
Top-ranked sites support stronger password-creation policies compared to lower-ranked ones. The median minimum password length for top sites is eight characters, versus five characters for lower-ranked sites. Top sites also impose stricter composition rules, are less likely to allow popular passwords, and accept a wider array of special characters, including Unicode.
Many websites continue to follow outdated security guidelines. For instance, we found that 42% of sites adhered to the older NIST 2004 guidelines, while only 31% complied with the more recent NIST 2017 guidelines.
Illustration of the stages of our password policy measurement method
We are researchers affiliated with the School of Cybersecurity and Privacy at the Georgia Institute of Technology. Feel free to reach out to us!
Suood AlRoomi roomi@gatech.edu Frank Li frankli@gatech.edu
Copyright © 2024 Password Authentication Measurement Research - All Rights Reserved.
Powered by GoDaddy
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.