Assessing website password practices – Unchanged after fifteen years?

Abstract

Passwords continue to occupy an interesting position in cyber security, being both widely used and widely criticised at the same time. In many cases the criticism is levelled at users, who are routinely judged to be at fault for making weak choices. However, such judgements frequently tend to overlook that fact that users were ultimately permitted to make such choices, and often guided to do no better. This paper presents the fifth in a series of studies that have been conducted every 3-4 years since 2007 and examines the extent to which leading websites guide and support users in making appropriate password choices. Following the same core approach as the prior investigations, it examines the password practices of ten leading websites, with the aim of examining the level of guidance provided to users before and during the password selection process, as well as examining the nature of the passwords that users are then permitted to choose. The findings reveal that while there have been some marginal improvements in some areas (e.g. for the first time all of the sites under test were found to enforce a minimum password length), there are still numerous shortcomings and omissions in areas that would arguably support users in improving both their password practices and their resultant protection. Most sites present no upfront information on what good passwords should look like, and many offer ambiguous feedback in response to choices that are not permitted. Moreover, when it comes to filtering and preventing the use of weak passwords, there are a range of surprising omissions, with some sites readily permitting common passwords that others block for being too obvious. The findings demonstrate that users can remain unguided on good practice and unchallenged on bad decisions, which continues to be a disappointing outcome in an area of cyber security that is used so often.