Princeton Grades Password Policies of Most Popular Websites
Princeton University researchers released a study detailing the password policies of 120 of the most popular English-language websites in the world. For the study, the researchers reverse-engineered the password policies of these websites to determine if they were following what the researchers call “long established best practices for helping users create stronger passwords.” Of the 120, the researchers concluded only 15 were following best practices. The criteria used in making this assessment is as follows:
We considered a website to be following best practices if it satisfied the following security and usability criteria:
Allowed 5 or fewer of the 40 most common leaked passwords and easiest-to-guess passwords (e.g., "12345678", "rockyou") we tried.
Required passwords be no shorter than 8 characters OR employed a password strength meter that accurately measured a password's resistance to being guessed by an adversary.
Did not impose any character-class requirements (e.g. "at least one digit and one special character").
The 15 websites passing the test were:
In their peer-reviewed paper, the researchers wote: “According to industry estimates, close to half of data breaches involved authentication failures. As such, the need to use strong passwords remains unchanged. To encourage this, websites mainly use three types of interventions during password creation: blocklists, password composition rules/policies (PCPs), and strength meters. All three interventions have been extensively researched in the information security community.”
They then went on to write: “the research is clear; what is less clear is whether these best practices are actually being followed. There has been no comprehensive study to understand how online services guide their users in setting up passwords (although previous studies have looked at narrow aspects of this question. We aimed to fill this gap by examining password policies of 120 of the most popular English-language websites in the world.”
As the Princeton researchers note, this type of study was sorely needed. Passwords are the first line of defense in protecting data - and if internet users are visiting any of these 120 websites, it’s likely they’re forking over loads of data. Consumers should be made aware of websites that foster weak password policies. In turn, the organizations operating these websites should feel the heat. One of the best strategies for keeping user data protected and avoiding the financial, legal, and reputational harm that may come from a password-related data breach is to facilitate the creation of strong and complex passwords.
Earlier this year, Bitwarden also explored the password policies of top businesses, albeit on a smaller scale. The Bitwarden Industry Leaders Security Rankings: Banking Edition sought to answer this question: Does your bank allow you to easily use strong and unique passwords?
In evaluating the top 5 U.S. banks (as ranked by assets held), we determined criteria, tested the criteria, and presented our findings. Our criteria is as follows:
Does the bank limit password length?
Does the bank allow users to paste and autofill passwords?
Does the bank offer two-factor authentication (2FA)?
Does the bank allow authenticator apps? Does the bank allow authenticator hardware?
Does the bank send an email informing the user of a password reset? Does the bank require the user to log in again using the new password?
From there, we assigned each bank a grade. In case you’re curious - and we recommend checking out the blog - Wells Fargo came out on top.
We undertook this project because utilizing a strong and complex password is one of the most basic, fundamental steps a person can take to protect themselves. Knowing that, we also wanted to know which organizations were making the ‘strong and complex’ part easy and which were making it hard. While it’s impossible to individually control cyber criminal behavior, we can control our password practices. So can the organizations managing the websites we visit.
Password policies won’t change without transparency. To that end, Bitwarden strongly supports Princeton’s research. We look forward to publishing more of our own password-related findings.