Unencrypted Logins Persist Despite Wide TLS Adoption

We detected a sizable population of sites that still serve login pages and transmit unencrypted account credentials . We found nearly 2K domains where the login page was served only over HTTP, including sensitive domains such as government and educational. Further, credential transmission remains an issue with 2.2K domains still transmitting passwords over HTTP.

Prevalence of User Enumeration Vulnerability Contributed by Software Defaults

We evaluated the login failure messages presented by 31K login pages and found that 5.9K domains (19%) were vulnerable to user enumeration. Many sites leaked information during login failure messages, revealing whether a username or password was incorrect, which aids attackers in identifying valid accounts. We identified popular web platforms, such as WordPress, as primarily responsible for these insecure practices.

Email Communication Reveals Insecure Password Storage Practices

We identified 570 websites that store passwords in plaintext, transmitting them via email during registration, password verification, and reset. While some domains may securely store passwords and only transmit plaintext during account creation, this practice remains insecure due to the lack of encryption in email transmissions over the Internet.

Typo-Accepting Login Policies Found on Hundreds of Websites

We found 273 domains exhibiting typo-tolerance during logins, with an average of 3 typo classes accepted per domain. This finding has significant security implications, as recent research has shown that typo-tolerant schemes, while enhancing usability, also increase vulnerability to credential stuffing attacks.

Limited Adoption of Login Rate Limiting

We evaluated the rate limiting policy of 18K sites and found that only a small fraction (~25-30%) employed login rate limiting to prevent online brute-force password guessing attacks. The majority of sites have not yet adopted this practice.

• We develop a web measurement technique for automatically inferring the website login policies in a blackbox fashion.
• Our method entails automatically creating and logging into test accounts on websites, and systematically assessing each login stage to determine the authentication policies enacted.
• We apply our technique across domains in the Google CrUX Top 1 Million, successfully inferring login policies on between 18K and 359K websites (varying depending on the login stage considered), which is two to three orders of magnitude more sites than prior studies.