Data at Risk: Three-Quarters of Top Websites Leave Users Exposed to Cyberattacks

A new study from Georgia Tech has found that a staggering three out of four of the world’s most popular websites are failing to meet minimum password requirement standards, leaving tens of millions of users vulnerable to cyberattacks.

The study, conducted by Assistant Professor Frank Li and Ph.D. student Suood Al Roomi of the Georgia Tech School of Cybersecurity and Privacy, used a first-of-its-kind automated tool to assess password creation policies on over 20,000 websites. The tool was able to determine whether websites required minimum password lengths, blocked common passwords, and adhered to other best practices.

Among the key takeaways from the study:

• Over half of the websites studied allowed passwords with six characters or less, falling short of the recommended eight-character minimum.

• A shocking 12% of websites lacked any password length requirements whatsoever.

• An alarming 30% of websites did not support spaces or special characters, limiting the complexity of passwords.

• Only a meager 28% of websites enforced a password block list, failing to safeguard against common password attacks.

The findings are alarming, as they suggest that a significant portion of the internet is at risk of being compromised by cybercriminals. Weak passwords are a major security vulnerability, as they can be easily guessed or cracked using brute-force attacks.

The study also found that many websites are still using outdated password requirements, such as those that require complex characters. These requirements are often ineffective and can make it difficult for users to create strong passwords.

“Our findings show that there is a lot of room for improvement when it comes to password security on the web,” said Li. “We urge website owners to take steps to strengthen their password policies to protect their users from cyberattacks.“

The researchers recommend that websites require minimum password lengths of eight characters, block common passwords, and allow users to use a variety of characters, including spaces and special symbols. They also recommend that websites use password managers to help users create and manage strong passwords.

The study’s findings were presented at the ACM Conference on Computer and Communications Security (CCS) in Copenhagen, Denmark, in November 2023.