Assessing website password practices – over a decade of progress?

Document Type

Journal Article



Place of Publication

United Kingdom


Security Research Institute


Originally published as: Furnell, S. (2018). Assessing website password practices–over a decade of progress?. Computer Fraud & Security, 2018(7), 6-13. Original article available here.


World Password Day 2018 saw Microsoft suggesting that it would deliver a “world without passwords” and BlackBerry proposing that they would be replaced by adaptive authentication (based on the buzzwords du jour of artificial intelligence and machine learning).1,2 Yet at the same time we had the irony of Twitter asking 330 million subscribers to change their passwords, having discovered a bug in the firm's internal systems that resulted in them being stored in unencrypted form.3 Every now and again we get a flurry of headlines proclaiming the passing of passwords, yet they are still with us and still being broken and breached. Steven Furnell of the University of Plymouth, UK and Edith Cowan University, Australia presents the results of an assessment of password guidance and policy enforcement on a series of leading websites and compares them with three earlier studies. A consistent finding in all prior cases was that sites were doing less than might be expected. So, 11 years on from the original study, what's changed and have things got better?



Access Rights