Recent News Articles

Largest Study of its Kind Shows Outdated Password Practices are Widespread

27 Nov 2023 8:59 PM | Anonymous

When did you last change your passwords? If you are like the majority of people, it has been a while. The time to change your passwords is NOW. 

The following is from an article in the Georgia Tech web site:

Three out of four of the world’s most popular websites are failing to meet minimum requirement standards and allowing tens of millions of users to create weak passwords. The findings are part of a new Georgia Tech cybersecurity study that examines the current state of password policies across the internet.

Using a first-of-its-kind automated tool that can assess a website’s password creation policies, researchers also discovered that 12% of websites completely lacked password length requirements.

Assistant Professor Frank Li and Ph.D. student Suood Al Roomi in Georgia Tech’s School of Cybersecurity and Privacy created the automated assessment tool to explore all sites in the Google Chrome User Experience Report (CrUX), a database of one million websites and pages.  

Li and Al Roomi's method of inferring password policies succeeded on over 20,000 sites in the database and showed that many sites:

  • Permit very short passwords
  • Do not block common passwords
  • Use outdated requirements like complex characters

The researchers also discovered that only a few sites fully follow standard guidelines, while most stick to outdated guidelines from 2004. The project was 135 times larger than previous works that relied on manual methods and smaller sample sizes.

More than half of the websites in the study accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. Around 12% of had no length requirements, and 30% did not support spaces or special characters.

Only 28% of the websites studied enforced a password block list, which means thousands of sites are vulnerable to cyber criminals who might try to use common passwords to break into a user’s account, also known as a password spraying attack.

You can read more at:

Blog posts

Eastman's Online Genealogy Newsletter

Powered by Wild Apricot Membership Software