A significant number of popular websites still allow users to choose weak or even single-character passwords, researchers at Georgia Institute of Technology have found.
The researchers used an automated account creation method to assess over 20,000 websites across the Tranco top 1M and evaluate the password creation policies users have to adhere to.
They found that 75% of websites allow passwords to be shorter than the recommended 8 characters.
40% of sites limit password lengths below the recommended 64 characters.
72% of sites allow the use of dictionary words as passwords and 88% allow users to choose known breached passwords.
A third of websites don't support special characters in chosen passwords.
39% accept the most popular password, while almost half accept one of the top four passwords.
They also found that most websites still adhere to NIST's 2004 password policy guidelines, even though they have been updated in 2017.
Many website creators also may not be aware of the more modern password creation policy options, and that can be remedied with education and outreach efforts.
The widely diverse password creation policies are likely a usability burden.
Alroomi and Li recently also evaluated website login policies on 18K to 359K websites across the Google CrUX Top 1 Million domains.
Nearly 2,000 domains serve login pages only over HTTP, meaning that they transmit and store passwords in plain text, and 21.2K domains offered the login page over HTTP in addition to HTTPS. Among these are many government and educational domains of entities in Asia and South America.
3,200 websites have copy-pasting disabled for either the email/username or the password field Hundreds of websites deploy typo-tolerant password authentication, which can be abused during attacks that rely on password guessing, credential stuffing and tweaking attacks.
Nearly 6,000 websites return login error messages that make user enumeration attacks easy.
A small number of websites employ login rate limiting that could prevent online brute-force password guessing attacks.
570 websites send plaintext passwords in emails either upon registration, after email verification, or after a password reset request.
GDPR could therefore be used to penalize such insecure practices and incentivize remediation of insecure website behaviors, they added.
Outreach campaigns may be effective at reducing the number of sites that still support login pages over HTTP. And, again, changes in popular web frameworks may fix several login security issues.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 12 Dec 2023 06:13:05 +0000