The death of passwords is predicted with regular frequency, but we’re still to see it actually happen. It’s possible that it will happen one day but, in the meantime, it would be helpful if popular online services would steer users towards choosing better passwords.

Examining top English-speaking websites

Professor of Information Security Steve Furnell at the the University of Plymouth has been looking at the password practices of the top ten English-speaking websites since 2007 and, unfortunately, there has been not much improvement.

The websites examined this year are Amazon, Facebook, Google, Instagram, Microsoft Live, Netflix, Reddit, Twitter, Wikipedia and Yahoo.

Of the ten, Amazon, Wikipedia and Reddit are prominent in their lack of restrictions enforced at sign-up and other features incorporated with security in mind (2FA/2FV, prevention of password reuse, password meter).

Of those three Amazon is indisputably the worst: user accounts contain a personal and payment card information, but the site only enforces a minimum length for the password (6) and offers the option of turning on 2-factor authentication.

Reddit might offer just a 2FA/2FV and a password meter, and Wikipedia only prevents the use of “password” and the user ID for the password, but these accounts don’t contain very important data, and are not in demand with criminals.

On the other side of the spectrum we have Google, Microsoft Live and Yahoo.

Google enforces a minimum password length (6), prevents the use of the most obvious and easily guessable/breakable passwords (surname, user ID, “password”, dictionary words). It enforces passwords consisting of different character types, offers 2FA, and prevents password reuse.

Microsoft Live and Yahoo do similarly well.

Nothing much has changed

“With over ten years between the studies, it is somewhat disappointing to find that the overall story in 2018 remains largely similar to that of 2007,” Professor Furnell noted.

“In the intervening years, much has continued to be written about the failings of passwords and the ways in which we use them, but little is being done to encourage or oblige us to follow the right path. The increased availability of two-step verification and two-factor authentication options is positive. But users arguably require more encouragement or obligation to use them otherwise, like passwords themselves, they will offer the potential for protection while falling short of doing so in practice.”

Unfortunately, hardly any of these sites tell users why they prevent or enforce specific things on sign-up or when users decide to change their password.

Users still have to educate themselves on things they should generally avoid: simple, short passwords, passwords based on easily guessable personal information or dictionary words, and password reuse across many different sites.

While using the same simple password on accounts that are of low value (don’t contain personal of financial information, can’t be misused to spam or scam other users) is not a totally bad idea, using it for critical accounts (containing a lot of personal and financial info, confidential documentation, or email accounts that are used for registering to online services and to which password reset emails of those services are sent) is a definite no-no.