A lack of consistent password security standards damages web security, according to researchers from Cambridge University.
Websites suffer from uneven implementation of password technologies, according to researchers Joseph Bonneau and Sören Preibusch. This security inconsistency problem is compounded by people reusing passwords across multiple sites, as compromise on a weak site could undermine stronger authentication mechanisms on different sites.
"Many poor [password implementation] practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks," wrote the researchers.
Websites with few security incentives, such as content websites, had the worst password security, while websites that included financial transactions had better security, the researchers found.
People have little incentive to remember multiple passwords, meaning that any successful compromise of passwords for weak-security sites will put stronger ones at risk, said the researchers.
Professor Ross Anderson of Cambridge University said that password authentication needs adequate standards. "Most sites reinvent the wheel, and most of them do it badly," wrote Anderson in a Monday blog post.