Passwords are the keys to our digital lives, but how secure are they? A recent study by Georgia Tech and Google revealed that many websites and users are failing to follow the best practices for password security, putting millions of data and accounts at risk.
The study, the largest of its kind, used a first-of-its-kind automated tool to assess a website’s password creation policies. The tool was created by Assistant Professor Frank Li and Ph.D. student Suood Al Roomi in Georgia Tech’s School of Cybersecurity and Privacy. The tool was used to explore all sites in the Google Chrome User Experience Report (CrUX), a database of one million websites and pages.
The researchers found that three out of four of the world’s most popular websites are failing to meet minimum requirement standards, allowing tens of millions of users to create weak passwords. This is a concerning revelation, given the increasing number of cyber threats in today’s digital age.
The method of inferring password policies succeeded on over 20,000 sites in the database and showed that many sites permit very short passwords, do not block common passwords, and use outdated requirements like complex characters. More than half of the websites in the study accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum.
Around 12% of websites had no length requirements, and 30% did not support spaces or special characters. Only 28% of the websites studied enforced a password block list, which means thousands of sites are vulnerable to cyber criminals who might try to use common passwords to break into a user’s account, also known as a password spraying attack.
The researchers also discovered that only a few sites fully follow standard guidelines, while most stick to outdated guidelines from 2004. This is a stark reminder of the gap between the rapid advancement of technology and the slower pace of policy updates.
“As a security community, we’ve identified and developed various solutions and best practices for improving internet and web security,” said Li. “It’s crucial that we investigate whether those solutions or guidelines are actually adopted in practice to understand whether security is improving in reality.”
The study also surveyed users’ password habits and found that 75% of Americans are frustrated with passwords. The difficulty in remembering multiple passwords leads people to use easy-to-remember (and easy-to-guess) ones. The most common passwords in 2022 were: “password”, “123456”, “123456789”, “guest”, and “qwerty”.
Moreover, 59% of users have included easily discoverable personal information in their passwords such as their name or birthdate. Almost half of the respondents reported having divulged a password at some point.
In 2022, over 24 billion passwords were exposed by hackers. More than 80% of confirmed breaches are related to stolen, weak, or reused passwords. These statistics underscore the importance of robust password policies in safeguarding user data.
In the end, the key to password security lies in creating unique, strong passwords and managing them effectively. So, next time you create a password, remember these facts and make your digital life a bit more secure.
Here are some tips to help you create and manage secure passwords:
– Use a password manager. A password manager is a software that generates and stores strong passwords for your online accounts. It also helps you fill in your passwords automatically when you log in. This way, you don’t have to remember or type your passwords every time. Some popular password managers are LastPass, 1Password, and Dashlane.
– Use a passphrase. A passphrase is a long and memorable sentence that you can use as a password. For example, “I love to eat pizza on Fridays” is a passphrase. A passphrase is harder to crack than a simple password, and easier to remember than a random string of characters. You can also add some numbers or symbols to make it more secure. For example, “I l0ve to eat p!zza on Fr!days”.
– Use different passwords for different accounts. If you use the same password for multiple accounts, you are putting yourself at risk. If one of your accounts gets hacked, the hacker can access all your other accounts with the same password. Therefore, it is important to use different passwords for different accounts, especially for sensitive ones like your email, bank, or social media.
– Change your passwords regularly. Even if you have strong passwords, you should change them regularly to prevent hackers from guessing or stealing them. A good rule of thumb is to change your passwords every three to six months, or whenever you suspect a breach. You can also use a password manager to remind you when to change your passwords.
– Enable two-factor authentication. Two-factor authentication (2FA) is an extra layer of security that requires you to enter a code or a token in addition to your password when you log in. The code or token is usually sent to your phone or email, or generated by an app. This way, even if someone knows your password, they can’t access your account without the code or token. Many websites and apps offer 2FA as an option, and you should enable it whenever possible.
Relevant articles:
– Largest Study of its Kind Shows Outdated Password Practices are …
– Largest study of its kind shows outdated password practices are putting …
– Largest study of its kind shows outdated password practices are putting …
– 25+ Password Statistics that may change your password habits – Comparitech
– 139 password statistics to help you stay safe in 2023 – Norton