Many popular websites still cling to password creation policies from 1985

A significant number of popular websites still allow users to choose weak or even single-character passwords, researchers at Georgia Institute of Technology have found.

Websites’ lax creation policies for passwords

The researchers used an automated account creation method to assess over 20,000 websites across the Tranco top 1M and evaluate the password creation policies users have to adhere to.

They found that 75% of websites allow passwords to be shorter than the recommended 8 characters (with 12% allowing single-character passwords).

They also found that:

• 40% of sites limit password lengths below the recommended 64 characters
• 72% of sites allow the use of dictionary words as passwords and 88% allow users to choose known breached passwords
• A third of websites don’t support special characters in chosen passwords
• 39% accept the most popular password (“123456”), while almost half accept one of the top four passwords (i.e., “123456”, “123456789”, “qwerty”, and “password”)

They also found that most websites (42.1%) still adhere to NIST’s 2004 password policy guidelines, even though they have been updated in 2017. A notable portion of websites (16.7%) are still sticking to NIST’s recommendations from 1985!

“We also observe that stronger security levels are significantly less adopted. For example, only 5.5% of sites have policies satisfying NIST 2004 Level 2, compared to 42.1% for Level 1. We also see low adoption of stricter password guidelines, such as those of US CERT, NCSC, and OWASP,” researchers Suood Alroomi and Frank Li pointed out.

Why are weak password creation policies are still so predominant? For several reasons, the researchers posit.

“Our case studies (…) identified that insecure password policy decisions were closely aligned with the default configurations of popular web software (such as WooCommerce and Shopify),” they say.

“If popular web software implemented recommended password policy configurations by default, many websites could be moved to stronger password policies.”

Many website creators also may not be aware of the more modern password creation policy options, and that can be remedied with education and outreach efforts.

The widely diverse password creation policies are likely a usability burden. “Standardizing password policies would significantly reduce this user friction, providing a unified policy across the web,” they concluded.

Website login policies

Alroomi and Li recently also evaluated website login policies on 18K to 359K websites (depending on the login stage considered) across the Google CrUX Top 1 Million domains.

They found that:

• Nearly 2,000 domains serve login pages only over HTTP, meaning that they transmit and store passwords in plain text, and 21.2K domains offered the login page over HTTP in addition to HTTPS. Among these are many government and educational domains of entities in Asia and South America
• 3,200 websites have copy-pasting disabled for either the email/username or the password field (modern guidelines actually push for copy-pasting to be allowed)
• Hundreds of websites deploy typo-tolerant password authentication, which can be abused during attacks that rely on password guessing, credential stuffing and tweaking attacks
• Nearly 6,000 websites return login error messages that make user enumeration attacks easy
• A small number of websites employ login rate limiting that could prevent online brute-force password guessing attacks
• 570 websites send plaintext passwords in emails either upon registration, after email verification, or after a password reset request.

Emails containing plaintext passwords. (Source: Suood Roomi, Frank Li)

“Of the 570 domains found sending plaintext passwords in emails, we note that a large portion (147, or 26%) were domains with a ccTLD for a country in the European Union (35 domains in Bulgaria, 18 in Italy, 14 in Poland, and 12 in both France and Germany). The storage of plaintext password by these sites may potentially violate the EU’s GDPR Article 32, which requires that European websites securely encrypt user data,” the researchers said.

GDPR could therefore be used to penalize such insecure practices and incentivize remediation of insecure website behaviors, they added.

Outreach campaigns may be effective at reducing the number of sites that still support login pages over HTTP. And, again, changes in popular web frameworks may fix several login security issues.

“For example, about a fifth of domains vulnerable to user enumeration appear to simply use WordPress’s default login failure messages. Similarly, the most common typo-tolerance policy likely arose due to how popular server-side software modified passwords,” the researchers noted.

“While these web frameworks may be the cause of prevalent authentication issues, they can also be the source of solutions. Software updates that address authentication concerns could drastically reduce vulnerable populations. Meanwhile, if popular web frameworks supported recommended practices by default, such as rate limiting, we would likely observe significantly higher adoption levels.”