Measuring Website Password Creation Policies At Scale

TL;DR

This paper introduces an automated method to analyze password creation policies across over 20,000 websites, revealing prevalent practices and areas for security improvement at an unprecedented scale.

Contribution

It presents the first large-scale, automated approach to measure website password policies, vastly expanding the scope beyond prior manual and limited studies.

Findings

Identifies common password policies used by websites

Highlights potential causes of weak password policies

Provides insights for improving web authentication practices

Abstract

Researchers have extensively explored how password creation policies influence the security and usability of user-chosen passwords, producing evidence-based policy guidelines. However, for web authentication to improve in practice, websites must actually implement these recommendations. To date, there has been limited investigation into what password creation policies are actually deployed by sites. Existing works are mostly dated and all studies relied on manual evaluations, assessing a small set of sites (at most 150, skewed towards top sites). Thus, we lack a broad understanding of the password policies used today. In this paper, we develop an automated technique for inferring a website's password creation policy, and apply it at scale to measure the policies of over 20K sites, over two orders of magnitude (135x) more sites than prior work. Our findings identify the common policies deployed, potential causes of weak policies, and directions for improving authentication in practice. Ultimately, our study provides the first large-scale understanding of password creation policies on the web.