The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Reveals Top Websites Fail to Follow Password Best Practices

Posted By on Jul 25, 2022

A peer-reviewed study conducted by researchers at Princeton University explored the password policies of the most popular English Language websites and found that only 13% of the websites followed all appropriate best practices.

The researchers reverse-engineered the password policies of 120 of the leading websites based on visitor numbers and sought to establish whether password best practices were being followed. They attempted to set 40 of the most commonly leaked passwords for accounts, such as abc123456 and P@$$w0rd, determined if the websites imposed any character-class requirements (at least one upper- and lower-case letter, number, symbol), and if a password strength meter was provided to help users set strong passwords OR if they allowed passwords of less than 8 characters.  Only 15 of the 120 websites followed all of these best practices. 105 of the websites failed on one or more of those requirements, which put users at risk of password compromise.

59% of the websites did not perform any checks of passwords, which meant that all 40 of the commonly used passwords were permitted. 75% of the websites did not prevent users from setting more than half of the tested weak passwords. Only 19% of the websites used password strength meters, and 10 of the 23 websites that did have password strength meters nudged users toward specific types of characters and did not incorporate any notion of guessability.

The latest password advice from NIST is not to force users to set passwords containing specific character classes, as while this does in theory force users to create strong passwords, in practice this password requirement weakens passwords as people tend to take shortcuts and use easily guessable passwords. 45% of the tested websites forced users to use certain character sets. All password policies for the 120 websites were found to perform poorly for security and usability.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

A password is often all that stands between a malicious actor and highly sensitive data. It is therefore important for website owners to follow password best practices to help users secure their accounts. You can view the researchers’ recommended password practices here. The findings of the study will be presented at the Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022) next month.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist