A Spark is Enough in a Straw World: a Study of Websites Password Management in the Wild

TL;DR

This paper analyzes the security of password recovery mechanisms in top websites, revealing widespread vulnerabilities and proposing countermeasures to improve compliance and security.

Contribution

It provides a comprehensive survey of password recovery methods, models attacker capabilities, and evaluates real-world website vulnerabilities, offering practical recommendations.

Findings

25% of analyzed websites have critical vulnerabilities

44% of websites exhibit some form of vulnerability

Most websites are non-compliant with GDPR regulations

Abstract

The widespread usage of password authentication in online websites leads to an ever-increasing concern, especially when considering the possibility for an attacker to recover the user password by leveraging the loopholes in the password recovery mechanisms. Indeed, if a website adopts a poor password management system, this choice makes useless even the most robust password chosen by its users. In this paper, we first provide a survey of currently adopted password recovery mechanisms. Later, we model an attacker with different capabilities and we show how current password recovery mechanisms can be exploited in our attacker model. Then, we provide a thorough analysis of the password management of some of the Alexa's top 200 websites in different countries, including England, France, Germany, Spain and Italy. Of these 1,000 websites, 722 do not require authentication -- and hence are excluded by our study -- while out of the remaining 278 we focused on 174, since 104 demanded a complex registration procedure. Of these 174, almost 25% of the them have critical vulnerabilities, while 44% have some form of vulnerability. Finally, we propose some effective countermeasures and we point out that, by considering the entry into force of the General Data Protection Regulation (GDPR) in May, 2018, most of websites are not compliant with the legislation and may incur in heavy fines. This study, other than being important on its own since it highlights some severe current vulnerabilities and proposes corresponding remedies, has the potential to also have a relevant impact on the EU industrial ecosystem.