Most people’s passwords are poor, and it’s only partly our fault.
Passwords are some of the most valuable things a person can possess in the digital world. It’s the way we access key websites and the lock behind which we store vital data about ourselves that we wouldn’t want others to access. Although we’re slowly seeing a shift towards a passwordless future where things like biometrics, fingerprints and voice samples can be used to unlock items in the hope of stymying hackers, the password has – and looks likely to remain for a time yet – a vital place in our lives.
But we’re not the best at ensuring we have safe passwords. Despite plenty of advice showing how to create a strong password, including on CyberNews, the reality is that too many people rely on commonly used, frequently hacked passwords. (You can check if your password is on the list of commonly used ones here.)
In part, that’s because of bad practices at an individual level. We’re lazy and tend to like passwords that we can easily remember – which means that we pick insecure passwords that are easy to guess through brute force attacks in the first place. Compounding the issue is the fact that we then reuse those weak passwords across a number of different sites – all so we don’t have to go to the hassle of remembering multiple passwords for different services. It means that if a hacker manages to get into one part of our digital lives, they frequently can get access to all of it.
People aren’t always to blame
However, individual laziness isn’t always to blame. New research indicates just how much bad password practices are encouraged by some of the world’s biggest websites.
An analysis of the password policies of 120 of the world’s biggest websites indicates that many of the weak passwords we have on our accounts aren’t only ones that we proactively pick, but are ones that are made because we have to meet the rules around “good passwords” that major platforms suggest.
Just 15 out of 120 sites surveyed followed what the Princeton University researchers deemed best password practices – which was whether they allowed five or fewer of the 40 most commonly leaked passwords, which are also among the easiest to guess, and if they required passwords to be eight characters or more.
“The remaining 105/120 either leave users at risk for password compromise or frustrated from being unable to use a sufficiently strong password (or both),” the researchers write.
When websites go wrong
More than half of the websites the researchers looked at do not check passwords at all, allowing all 40 of the most common passwords they tested (including simple to guess ones like "12345678" and "rockyou"). Only 23 out of 120 sites bothered to use strength checkers, which are commonly available, and guide users towards stronger passwords that are harder to hack.
For Narayanan, the scale and scope of the sites affected was shocking. “We’re not talking about obscure websites,” he says in another tweet. “Those with bad password policies include Facebook, Netflix, Microsoft, Apple, and Amazon.”
Tackling it won’t be an easy thing to do either.
“Overall, there’s a long way to go to improve password policies,” he says. “More fundamentally, there seems to be a disconnect between the research community and the industry (a recurring theme in information security). Fixing this will require both sides to change their practices.”
More from Cybernews:
Subscribe to our newsletter