If you ever need to create an account online you will need to set a password to prevent unauthorized access. While passwords can prevent the account from being accessed by unauthorized individuals if weak passwords are set they would not provide much protection. In some cases, a weak password could be guessed by a human in a few seconds. The tools used by hackers to brute force passwords could guess passwords in a fraction of a second.
Businesses are often recommended to enforce password policies and prevent users from using commonly used weak passwords and dictionary words to make their accounts more resilient to brute force attacks, but what about website operators? Do they implement measures that make their accounts resistant to brute force attacks? According to one recent study, most of them do not.
The study was conducted by Arvind Narayanan and colleagues at Princeton University, and the sites tested included the likes of Netflix, Walmart, TikTok, and even the tax-return software provider Intuit, which provides the TurboTax solution to millions of Americans. The study looked at the 120 top-ranked English language websites and assessed their password policies, and manual checks were performed using 40 passwords on each site. They selected 20 passwords from a randomized sample of the 100,000 most frequently used passwords that had been obtained from data breaches. They also used the first 20 passwords that were attempted by a password cracking tool. Those passwords include P@$$w0rd and abc123456 for example.
The researchers found that 75% of the top 120 websites allowed the use of some of the most commonly used weak passwords, and almost half of the sites allowed the use of all of the top 40 most commonly used passwords. Only 15 websites out of the 120 prevented users from using any of the 40 tested passwords. Those sites included Google, Adobe, Twitch, GitHub, and Grammarly.
Only 23 of the tested websites included password strength meters to indicate how resistant the password is to brute force attacks. The researchers also found that 54 sites were basing their password composition policies on out-of-date password recommendations, such as forcing users to have at least one upper- and lower-case letter, a number, and a symbol, when that practice is no longer recommended since that makes passwords very hard to remember, forcing users to take shortcuts – P@$$w0rd for example. A long passphrase or three or more random words is now recommended.
Many companies provide other security features to make brute force attacks on accounts harder, such as rate limiting and account lockouts if the incorrect password is used too many times. This approach does improve security, but many brute force attacks involve a low and slow approach, trying just a couple of passwords on each account and then returning to try more later, so as not to trigger this security mechanism. Multi-factor authentication is often offered, which requires a second form of authentication in addition to a password. MFA does improve security, but it is not infallible and further, MFA is not normally mandatory on websites.
The high number of websites that had poor password policies came as a surprise to the researchers, who thought a much higher percentage would be following current password best practices. They will be presenting the findings of their research at the Symposium on Usable Privacy and Security this August.