Measuring Website Password Creation Policies At Scale
Our peer-reviewed study was presented at the Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Widespread Acceptance of Short Passwords
Contrary to modern standards advocating for longer minimum length requirements, acceptance of short passwords is widespread, with over half of the sites allowing passwords of six characters or shorter. The minimum password length of five was the most prevalent, on nearly 40% of sites, and overall, 75% of sites allowed passwords shorter than the recommended eight characters.
Alarming Acceptance of Single-Character Passwords
The most popular policy we found accepted passwords of any length without constraints (8.3% of sites), and overall, 12% of websites accepted single-character passwords, many of which were influenced by the default behavior of the adopted framework.
Majority of Sites Allow Common Passwords
Only a minority of websites employ password blocklists, with approximately 12% to 28% of sites (depending on ranking) implementing this security measure. Among sites allowing popular passwords, 39% accepted the top password '123456', and nearly half accepted one of the top four passwords ('123456', '123456789', 'qwerty', 'password').
Top-Ranked Domains Enforce Stronger Passwords
Top-ranked sites support stronger password-creation policies compared to lower-ranked ones. The median minimum password length for top sites is eight characters, versus five characters for lower-ranked sites. Top sites also impose stricter composition rules, are less likely to allow popular passwords, and accept a wider array of special characters, including Unicode.
Slow Adoption of Modern Password Creation Policies
Many websites continue to follow outdated security guidelines. For instance, we found that 42% of sites adhered to the older NIST 2004 guidelines, while only 31% complied with the more recent NIST 2017 guidelines.
- We investigate how websites handle password creation policies through the development and application of a web measurement method that automatically infers password creation policies in a blackbox fashion.
- Our method entails testing specifically-chosen passwords in a carefully constructed order during a site’s account signup, identifying which passwords are accepted or rejected to infer the site’s password creation policy.
- We apply our technique to successfully infer the password creation policies of over 20K websites across the top 1M, evaluating a diverse population over two orders of magnitude (∼135x) larger than any prior study.
