Why Do So Many Sites Have Bad Password Policies?

'Three out of four of the world's most popular websites are failing to meet minimum requirement standards' for password security, reports Georgia Tech's College of Computing. Which means three out of four of the world's most popular web sites are 'allowing tens of millions of users to create weak passwords.'

Using a first-of-its-kind automated tool that can assess a website's password creation policies, researchers also discovered that 12% of websites completely lacked password length requirements. Assistant Professor Frank Li and Ph.D. student Suood Al Roomi in Georgia Tech's School of Cybersecurity and Privacy created the automated assessment tool to explore all sites in the Google Chrome User Experience Report (CrUX), a database of one million websites and pages.

Li and Al Roomi's method of inferring password policies succeeded on over 20,000 sites in the database and showed that many sites:
- Permit very short passwords
- Do not block common passwords
- Use outdated requirements like complex characters

The researchers also discovered that only a few sites fully follow standard guidelines, while most stick to outdated guidelines from 2004... More than half of the websites in the study accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. Around 12% of had no length requirements, and 30% did not support spaces or special characters. Only 28% of the websites studied enforced a password block list, which means thousands of sites are vulnerable to cyber criminals who might try to use common passwords to break into a user's account, also known as a password spraying attack.

Georgia Tech describes the new research as 'the largest study of its kind.' ('The project was 135 times larger than previous works that relied on manual methods and smaller sample sizes.')

'As a security community, we've identified and developed various solutions and best practices for improving internet and web security,' said assistant professor Li. 'It's crucial that we investigate whether those solutions or guidelines are actually adopted in practice to understand whether security is improving in reality.'

The Slashdot community has already noticed the problem, judging by a recent post from eggegick. 'Every site I visit has its own idea of the minimum and maximum number of characters, the number of digits, the number of upper/lowercase characters, the number of punctuation characters allowed and even what punctuation characters are allowed and which are not.'
The limit of password size really torques me, as that suggests they are storing the password (they need to limit storage size), rather than its hash value (fixed size), which is a real security blunder. Also, the stupid dots drive me bonkers, especially when there is no 'unhide' button. For crying out loud, nobody is looking over my shoulder! Make the 'unhide' default.
'The 'dots' are bad security,' agrees long-time Slashdot reader Spazmania. 'If you're going to obscure the password you should also obscure the length of the password.' But in their comment on the original submission, they also point out that there is a standard for passwords, from the National Institute of Standards and Technology:
Briefly:
* Minimum 8 characters
* Must allow at least 64 characters.
* No constraints on what printing characters can be used (including high unicode)
* No requirements on what characters must be used or in what order or proportion
This is expected to be paired with a system which does some additional and critical things:

* Maintain a database of known compromised passwords (e.g. from public password dictionaries) and reject any passwords found in the database.
* Pair the password with a second authentication factor such as a security token or cell phone sms. Require both to log in.
* Limit the number of passwords which can be attempted per time period. At one attempt per second, even the smallest password dictionaries would take hundreds of years to try...
Someone attempting to brute force a password from outside on a rate-limited system is limited to the rate, regardless of how computing power advances. If the system enforces a rate limit of 1 try per second, the time to crack an 8-character password containing only lower case letters is still more than 6,000 years.

Read more of this story at Slashdot.