Passwords: 75 per cent of the world’s top websites allow bad choices

An analysis of 120 of the world’s top-ranked English-language websites has found that many of them allow weak passwords, including those that can be easily guessed, such as “abc123456” and “P@$$w0rd”

By Jeremy Hsu

Three-quarters of the world’s most popular English-language websites still allow people to choose the most common passwords such as “abc123456” and “P@$$w0rd.”

More than half of the 120 top-ranked websites also allow all 40 of the most common leaked and easily guessed passwords. The sites include popular shopping portals such as Amazon and Walmart, social media app TikTok, video streaming site Netflix and the company Intuit, maker of the tax-return software TurboTax that millions of people in the US use.

Amazon told New Scientist that it recommends users set up two-step verification and that the company may “require additional authentication challenges during sign-in” if it detects a security risk. Intuit chief architect Alex Balazs said he would investigate the findings and highlighted Intuit’s use of multi-factor authentication and fraud detection. The other companies mentioned above did not respond to New Scientist’s request for comment.

“It’s tempting to conclude that companies just don’t care about users’ security, but I don’t think that’s right… letting accounts get hacked is not at all in their interest,” says Arvind Narayanan at Princeton University.

To perform the analysis of English-language websites ranked as popular by various internet services, Narayanan and his colleagues manually checked 40 passwords on each site. Using each site’s password requirements, they selected 20 passwords from a randomised sampling of the 100,000 most frequently used passwords found in data breaches, along with the first 20 passwords guessed by a password cracking tool.

Only 15 websites blocked all 40 of the tested passwords. These included Google, Adobe, Twitch, GitHub and Grammarly.

In 2017, the US National Institute of Standards and Technology released a series of recommendations for websites to follow, such as including strength meters that encourage users to create stronger passwords, maintaining blocklists of leaked and easily guessed passwords and only allowing passwords that are at least eight characters.

Just 23 of the 120 most popular websites use strength meters. By comparison, 54 sites still rely on password composition policies that have poor security and usability ratings, such as forcing users to create complex passwords with a specific mix of uppercase and lowercase letters, numbers and symbols. Meanwhile, users can protect themselves by not reusing passwords for their online accounts.

“We definitely expected that more websites would be following best practices,” says team member Kevin Lee, also at Princeton University. The team will present the findings at the Symposium on Usable Privacy and Security in August.

The researchers remain uncertain about why so many popular websites still have subpar password policies. One possibility is that organisations may prefer spending money on other security measures because it can be difficult to measure the impact of improving password policies, says Sten Sjöberg, a Microsoft security program manager who contributed to the research while studying at Princeton University.

The security field may also have a “bit of a ratchet problem”, says Michelle Mazurek at the University of Maryland, who was not involved in the research. “It’s not easy to roll back a protection like requiring frequent password changes, even when it’s been scientifically shown not to be beneficial, because no one wants to get blamed if something goes wrong later.”