Study examines websites' password practices

Global IT giants including Amazon and LinkedIn could be doing far more to raise awareness of the need for better password practices among their users.

Analysis by Professor Steve Furnell, Director of the Centre for Security, Communications and Network Research at Plymouth University, looked into the password security controls in place among ten of the world’s most visited websites.

It revealed very few of them give detailed guidance about the importance of providing secure passwords, either when users were creating or updating accounts.

The majority also provided little or no information about the reasons why password protection is important, and while some did make suggestions about best practice, very few went on to enforce their own advice.

Professor Furnell, the Head of Plymouth’s School of Computing and Mathematics, said:

“Many people have numerous password-protected accounts, which collectively end up holding a wealth of sensitive data. For their most crucial accounts, such as online banking, they will often be required to use stronger authentication methods but in other cases, when they have multiple accounts, they often use similar passwords leaving them more vulnerable to potential hackers. This is in large part because related guidance is not being communicated to them on websites but, and perhaps even more crucially, people are not being told the reasons why they need to be secure and why passwords ought to meet certain criteria.”

For the study, carried out in August and published in the latest edition of the Computer Fraud and Security journal, Professor Furnell focussed on ten websites featured in the top 30 places of the global Alexa rankings – Google, Facebook, Yahoo!, Wikipedia, Twitter, Amazon, Microsoft Live, LinkedIn, WordPress.com and Pinterest.

He then examined the advice offered to users when they were creating accounts and changing or resetting passwords, with particular focus on length, alphanumerical inclusion, prevention of guessable choices, and the presence of password strength meters.

It showed that across the ten sites, there were 30 opportunities to provide detailed guidance but only a third of them were taken, with just Google providing advice at each of the sign-up, password change and password reset stages.

This is the third time Professor Furnell has conducted a study of this kind, with previous analyses in 2007 and 2011. Further studies at Plymouth University have also shown users can be encouraged to choose stronger and less obvious passwords if appropriate guidance and support is provided. He added:

“In the seven years of conducting this study, there has not been the level of improvement one might have expected. If these companies and others were to include simple explanations about enhancing password security, and some better enforcement of good practice, the extent of our collective online security could be dramatically improved. In many cases, there is a fear about creating barriers which would stop people signing up to their service. But recent cybersecurity incidents have shown that securing passwords and providing informed guidance has never been more crucial.”

Professor Steve Furnell, Head of Plymouth University’s School of Computing and Mathematics, said:

If these companies and others were to include simple explanations about enhancing password security, and some better enforcement of good practice, the extent of our collective online security could be dramatically improved