Poor password standards hit web, say researchers

Researchers have warned of harm from a lack of password mechanism standards coupled with reuse of passwords from weak to strong sites

A lack of consistent password security standards damages web security, according to researchers from Cambridge University.

Websites suffer from uneven implementation of password technologies, according to researchers Joseph Bonneau and Sören Preibusch. This security inconsistency problem is compounded by people reusing passwords across multiple sites, as compromise on a weak site could undermine stronger authentication mechanisms on different sites.

The researchers presented an empirical study, which sampled sample of 150 websites, at the WEIS security conference on Monday.

"Many poor [password implementation] practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks," wrote the researchers.

Websites with few security incentives, such as content websites, had the worst password security, while websites that included financial transactions had better security, the researchers found.

People have little incentive to remember multiple passwords, meaning that any successful compromise of passwords for weak-security sites will put stronger ones at risk, said the researchers.

Professor Ross Anderson of Cambridge University said that password authentication needs adequate standards. "Most sites reinvent the wheel, and most of them do it badly," wrote Anderson in a Monday blog post.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All