Our study offers the most expansive survey of modern website login security
Our peer-reviewed study was presented at the Proceedings of the 32nd USENIX Security Symposium, USENIX Security 2023
We detected a sizable population of sites that still serve login pages and transmit unencrypted account credentials . We found nearly 2K domains where the login page was served only over HTTP, including sensitive domains such as government and educational. Further, credential transmission remains an issue with 2.2K domains still transmitting passwords over HTTP.
We evaluated the login failure messages presented by 31K login pages and found that 5.9K domains (19%) were vulnerable to user enumeration. Many sites leaked information during login failure messages, revealing whether a username or password was incorrect, which aids attackers in identifying valid accounts. We identified popular web platforms, such as WordPress, as primarily responsible for these insecure practices.
We identified 570 websites that store passwords in plaintext, transmitting them via email during registration, password verification, and reset. While some domains may securely store passwords and only transmit plaintext during account creation, this practice remains insecure due to the lack of encryption in email transmissions over the Internet.
We found 273 domains exhibiting typo-tolerance during logins, with an average of 3 typo classes accepted per domain. This finding has significant security implications, as recent research has shown that typo-tolerant schemes, while enhancing usability, also increase vulnerability to credential stuffing attacks.
We evaluated the rate limiting policy of 18K sites and found that only a small fraction (~25-30%) employed login rate limiting to prevent online brute-force password guessing attacks. The majority of sites have not yet adopted this practice.
Overview of our automated method for evaluating a domain’s login policy
We are researchers affiliated with the School of Cybersecurity and Privacy at the Georgia Institute of Technology. Feel free to reach out to us!
Suood AlRoomi roomi@gatech.edu Frank Li frankli@gatech.edu
Copyright © 2024 Password Authentication Measurement Research - All Rights Reserved.
Powered by GoDaddy
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.