A new study that examines the current state of password policies across the internet shows that many of the most popular websites allow users to create weak passwords.<\/p>\n
For the Georgia Tech study<\/a>, the researchers designed an algorithm that automatically determined a website\u2019s password policy. With the help of machine learning, they could see the consistency of length requirements and restrictions for numbers, upper- and lower-case letters, special symbols, combinations, and starting letters. They could also see if sites permitted dictionary words or known breached passwords.<\/p>\n Using this tool they found:<\/p>\n More than half of the websites in the study accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. Around 12% of the websites had no length requirements, and 30% did not support spaces or special characters.<\/p>\n Giving users that kind of freedom is asking for them to be duped. As we pointed out a while back, even tech-savvy users like IT administrators resort to awful passwords<\/a> when given the chance. <\/p>\n The reasons for not enforcing standards are obvious. Most websites care more about customer satisfaction than security, and you can guess which one is better for business.<\/p>\n Users don\u2019t like passwords, especially since the password situation has been made worse by ridiculous and unnecessary rules, such as asking users to pick passwords that follow formulas, or forcing users to change their password every few months. Both rules have been discredited but continue to haunt us. Formulas reduce the number of possible passwords a user can pick from, and regular password resets encourage users to pick passwords that conform to a predictable pattern, both of which can make guessing passwords easier, which is the opposite of what we want.<\/p>\n If you\u2019d like to read more about this, read \u201cWhy (almost) everything we told you about passwords was wrong<\/a>.\u201d The article summarizes how a lot of what you\u2019ve been told about passwords over the years was either wrong (change your passwords as often as your underwear), misguided (choose long, complicated passwords), or counterproductive (don\u2019t reuse passwords).<\/p>\n We feel that we should entirely move away from the model that requires users to create and remember passwords. It is time for something more secure AND user-friendly. And it\u2019s not like these systems don\u2019t exist (hello Passkeys<\/a>), we just need to embrace them more widely.<\/p>\n Let\u2019s enable muti-factor authentication (MFA)<\/a> where we can, even if we feel that using a password as the first factor doesn\u2019t add a lot of extra security to the login procedure. And if we need to rely on passwords alone, try using a password manager. They help you create complex passwords and remember them for you.<\/p>\n The full report of the researchers will be presented at the ACM Conference on Computer and Communications Security (CCS) in Copenhagen, Denmark, later this month.<\/p>\n We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today<\/a>.<\/p>\n\n
\n
\n
\n
\n