An Assessment of Website Password Practices
Computing, Health and Science
School of Computer and Information Science, Centre for Security Research
Password-based authentication is frequently criticised on the basis of the ways in which the approach can be compromised by end-users. However, a fundamental point in the defence of many users is that they may not know any better, and lack appropriate guidance and support when choosing their passwords and subsequently attempting to manage them. Given that such support could reasonably be expected to come from the systems upon which the passwords are used, this paper presents an assessment of password practices on 10 popular websites, examining the extent to which they provide guidance for password selection, enforce restrictions on password choices, and support easy and effective recovery or reset if passwords are forgotten. The findings reveal that the situation is extremely variable, with none of the assessed sites performing ideally across all of the assessed criteria. Better efforts are consequently required if password practices amongst the general populous are expected to improve.