A new review has revealed that over three-quarters of the world’s most popular websites allow users choose the most common passwords such as ‘P@$$w0rd’ and ‘abc123456’.
Over 50% of the 120 top-ranked websites allow 40 of the most easily guessed and leaked passwords. These sites includes Amazon, Netflix, TikTok, Walmart, Intuit, and other popular sites.
Amazon informed that it recommends that users set up two-step authentication, and the company may ‘require additional authentication challenges during sign-in’ if a security risk is detected. Chief Architect of Intuit, Alex Balazs emphasized Intuit’s use of fraud detection and multi-factor authentication.
‘It’s tempting to conclude that companies just don’t care about users’ security, but I don’t think that’s right… letting accounts get hacked is not at all in their interest,’ said Arvind Narayanan of Princeton University.
Narayanan and his team of colleagues manually checked the 40 passwords on each site in the process of analyzing the popularly-ranked English language websites. Noting the password requirements of each site, they chose passwords from a randomized sampling of the 100,000 most commonly used passwords found in data breaches. They also used the first 20 passwords guessed by a password cracking tool.
Of the 40 tested passwords, only 15 websites blocked them all. These websites include Twitch, Google, Adobe, Grammarly and GitHub.
Back in 2017, the US National Institute of Standards and Technology announced a series of recommendations for websites to follow. They included strength meters encouraging users to create stronger passwords, allowing only passwords of at least eight characters, and maintaining blocklists of easily-guessed passwords.
Currently, only 23 of the 120 most popular websites make use of strength meters. 54 sites still depend on password composition policies which have poor security and force users to create complicated passwords comprising uppercase and lowercase letters, symbols and numbers. Users can however protect themselves by using different passwords for their online accounts.
‘We definitely expected that more websites would be following best practices,’ says team member Kevin Lee. The findings of the team will be presented at the Symposium on Usable Privacy and Security in August.
The researchers were unable to determine why so many popular websites have subpar policies. An educated guess by Sten Sjöberg, a Microsoft security program manager, is that organizations may spend money on other security prevention measures because of the difficulty in determining the impact of improving password policies.
Michelle Mazurek of the University of Maryland believes the security field may have a ‘bit of a ratchet problem’. ‘It’s not easy to roll back a protection like requiring frequent password changes, even when it’s been scientifically shown not to be beneficial, because no one wants to get blamed if something goes wrong later.’
By Marvellous Iwendi.
Source: New Scientist