{"671146":{"#nid":"671146","#data":{"type":"news","title":"Largest Study of its Kind Shows Outdated Password Practices are Widespread","body":[{"value":"\u003Cp\u003EThree out of four of the world\u2019s most popular websites are failing to meet minimum requirement standards and allowing tens of millions of users to create weak passwords. The findings are part of a new Georgia Tech cybersecurity study that examines the current state of password policies across the internet.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EUsing a first-of-its-kind automated tool that can assess a website\u2019s password creation policies, researchers also discovered that 12% of websites completely lacked password length requirements.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAssistant Professor\u0026nbsp;\u003Cstrong\u003EFrank Li\u003C\/strong\u003E\u0026nbsp;and Ph.D. student\u0026nbsp;\u003Cstrong\u003ESuood Al Roomi\u003C\/strong\u003E\u0026nbsp;in Georgia Tech\u2019s\u0026nbsp;\u003Ca href=\u0022https:\/\/scp.cc.gatech.edu\/\u0022\u003ESchool of Cybersecurity and Privacy\u003C\/a\u003E\u0026nbsp;created the automated assessment tool to explore all sites in the\u0026nbsp;\u003Ca href=\u0022https:\/\/developer.chrome.com\/docs\/crux\u0022\u003EGoogle Chrome User Experience Report\u003C\/a\u003E\u0026nbsp;(CrUX), a database of one million websites and pages. \u0026nbsp;\u003C\/p\u003E\r\n\r\n\u003Cp\u003ELi and Al Roomi\u0027s method of inferring password policies succeeded on over\u0026nbsp;20,000 sites in the database and showed that many sites:\u003C\/p\u003E\r\n\r\n\u003Cul\u003E\r\n\t\u003Cli\u003EPermit very short passwords\u003C\/li\u003E\r\n\t\u003Cli\u003EDo not block common passwords\u003C\/li\u003E\r\n\t\u003Cli\u003EUse outdated requirements like complex characters\u003C\/li\u003E\r\n\u003C\/ul\u003E\r\n\r\n\u003Cp\u003EThe researchers also discovered that only a few sites fully follow standard guidelines, while most stick to outdated guidelines from 2004. The project was 135 times larger than previous works that relied on manual methods and smaller sample sizes.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EMore than half of the websites in the study accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. Around 12% of had no length requirements, and 30% did not support spaces or special characters.\u003C\/p\u003E\r\n\r\n\u003Cp\u003EOnly 28% of the websites studied enforced a password block list, which means thousands of sites are vulnerable to cyber criminals who might try to use common passwords to break into a user\u2019s account, also known as a password spraying attack.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u201cBoth Professor Li and I were excited to take on the challenge,\u201d said Al Roomi. \u201cWith his guidance and our continuous work on both algorithm design and the measurement technique, we were able to fully develop an automated measurement of password creation policy and apply it at scale.\u201d\u003C\/p\u003E\r\n\r\n\u003Cp\u003EAl Roomi and Li designed an algorithm that automatically determines a website\u2019s password policy. With the help of machine learning, the pair could see the consistency of length requirements and restrictions for numbers, upper- and lower-case letters, special symbols, combinations, and starting letters. They could also see if sites permitted dictionary words or known breached passwords.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u201cAs a security community, we\u0027ve identified and developed various solutions and best practices for improving internet and web security,\u201d said Li. \u201cIt\u0027s crucial that we investigate whether those solutions or guidelines are actually adopted in practice to understand whether security is improving in reality.\u201d\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe project began during the height of the pandemic when Al Roomi found a gap in the research literature surrounding website password policies. Through his reading, he discovered that a consensus of his peers did not think a large-scale survey of password policies was possible due to the variety of web design.\u003C\/p\u003E\r\n\r\n\u003Cp\u003E\u201cIt was exciting to see an identified challenge in the literature and to develop and apply a vision we turned into the measurement tool,\u201d said Al Roomi. \u201cThis research was my first in my Ph.D. program at Georgia Tech and SCP. It is one of the most challenging yet rewarding endeavors I\u0027ve worked on.\u201d\u003C\/p\u003E\r\n\r\n\u003Cp\u003EThe full report will be presented at the\u0026nbsp;\u003Ca href=\u0022https:\/\/www.sigsac.org\/ccs\/CCS2023\/index.html\u0022\u003EACM Conference on Computer and Communications Security (CCS)\u003C\/a\u003E\u0026nbsp;in Copenhagen, Denmark, later this month.\u0026nbsp;\u003Ca href=\u0022https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/al-roomi\u0022\u003E\u003Cem\u003EA Large-Scale Measurement of Website Login Policies\u003C\/em\u003E\u003C\/a\u003E\u0026nbsp;was also accepted to the 32nd USENIX Security Symposium earlier this year.\u003C\/p\u003E\r\n","summary":"","format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EGeorgia Tech cybersecurity researchers have developed a first-of-its-kind automated measurement tool that can assess password protection policies across the internet. The team used the tool in the largest study of its kind to assess password protection policies for 20,000 of the world\u0027s top websites. The results of their study are being published at the\u0026nbsp;\u0026nbsp;\u003Ca href=\u0022https:\/\/www.sigsac.org\/ccs\/CCS2023\/index.html\u0022\u003EACM Conference on Computer and Communications Security (CCS)\u003C\/a\u003E\u0026nbsp;in Copenhagen, Denmark, later this month.\u003C\/p\u003E\r\n","format":"limited_html"}],"field_summary_sentence":[{"value":"Georgia Tech researchers have developed a first-of-its-kind automated measurement tool that can assess password protection policies across the internet. "}],"uid":"32045","created_gmt":"2023-11-17 19:02:40","changed_gmt":"2023-11-27 01:27:41","author":"Ben Snedeker","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2023-11-17T00:00:00-05:00","iso_date":"2023-11-17T00:00:00-05:00","tz":"America\/New_York"},"extras":[],"hg_media":{"672410":{"id":"672410","type":"image","title":"A stock composite image of a man working at a computer screen with an animated unlocked lock image hovering above the screen and elsewhere around his desk","body":null,"created":"1700247771","gmt_created":"2023-11-17 19:02:51","changed":"1700247771","gmt_changed":"2023-11-17 19:02:51","alt":"A stock composite image of a man working at a computer screen with an animated unlocked lock image hovering above the screen and elsewhere around his desk","file":{"fid":"255642","name":"CyberSecurity_StockPhoto.jpeg","image_path":"\/sites\/default\/files\/2023\/11\/17\/CyberSecurity_StockPhoto.jpeg","image_full_path":"http:\/\/tlwarc.hg.gatech.edu\/\/sites\/default\/files\/2023\/11\/17\/CyberSecurity_StockPhoto.jpeg","mime":"image\/jpeg","size":56023,"path_740":"http:\/\/tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/2023\/11\/17\/CyberSecurity_StockPhoto.jpeg?itok=P3Oxw-Z8"}}},"media_ids":["672410"],"groups":[{"id":"47223","name":"College of Computing"},{"id":"430601","name":"Institute for Information Security and Privacy"},{"id":"1188","name":"Research Horizons"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"},{"id":"135","name":"Research"},{"id":"8862","name":"Student Research"}],"keywords":[{"id":"187915","name":"go-researchnews"},{"id":"10199","name":"Daily Digest"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[{"id":"71901","name":"Society and Culture"}],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003EJP Popham\u003C\/p\u003E\r\n\r\n\u003Cp\u003ECommunications Officer\u003C\/p\u003E\r\n\r\n\u003Cp\u003ESchool of Cybersecurity and Privacy\u003C\/p\u003E\r\n\r\n\u003Cp\u003Ejohn.popham@cc.gatech.edu\u003C\/p\u003E\r\n","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}