How Top Websites Play a Part in the Epidemic of Weak Passwords

We hear all the time how vital password security is or how to strengthen passwords and yet many popular websites do not encourage their users to create robust passcodes that would be hard to crack. Steve Furnell, an Information Security professor at Plymouth University, has been researching password practices of most popular sites in English over the years and the latest survey he conducted revealed not much has changed since 2007. No doubt, creating conditions in which users would have to come up with more unique passcodes would help in increasing their password security. Therefore, further in this blog post, we will discuss the bad and good practices of password guidance presented in the mentioned research as well as provide you with tips on how to protect your accounts from hacking.

Steve Furnell chose the most popular web pages in English to study their password guidance practices. The sites examined were: Google, Facebook, Wikipedia, Reddit, Yahoo, Amazon, Twitter, Instagram, Microsoft Live and Netflix. To be more precise, the research's goal was to find out how and whether these sites provide guidance when the user creates a new account, decides to change his password or needs to reset it.

It would seem the websites that put the most effort into ensuring their users would create strong passwords are Google, Microsoft Live, and Yahoo. They were among the top three websites with best password guidance practices in 2014 as well. The reason for it is all of the listed sites enforce various restrictions to improve password security. For example, Google and Microsoft Live users have to pick combinations from at least eight characters and Yahoo users must come up with passcodes from seven characters. In comparison Wikipedia users can register by creating a password from any amount of characters, for example, even a single letter might be allowed. Thus, it is no wonder Wikipedia was listed as one of the sites that provide poor password guidance, along with Amazon and Reddit. According to the research results, Amazon and Reddit allow users to choose the word "password" when signing up. This passcode is titled as the worst possible combination by many computer security specialists because it is easy to guess.

Furthermore, it was noticed some of the surveyed websites still do not prevent users from using names or user IDs when creating an account. Also, only a couple of web pages make their users come up with passcodes according to a specific composition, for example, use at least one capital letter or a few numbers. Strangely, while Reddit seems to have poor password creating guidelines, it is the only site that provides a password meter or a tool to check how robust the combination is.

The only improvement noticed during the research was that more sites now offer additional authentication options like Two-Factor authentication, although many of them do not encourage enabling it when creating a new account.

How to strengthen passwords to prevent hacking?

Ensuring password security is crucial if you want to protect your privacy nowadays. Besides data breaches and phishing scams, the other way to obtain someone's password is to crack it. There are tools that can make this process much easier than you might imagine. Cybercriminals do not have to sit all day and guess passwords on their own. The hacking applications they may employ can crack weak passwords by trying out often used password patterns, for example, combinations like password123 or user's name. Therefore, the answer to how to strengthen password is: make it as unique as possible. Most computer security specialists recommend creating long passwords because the more characters they have, the more possible combinations there are and the task could become nearly impossible. Next, to make your password unique, you should use both upper and lower case letters, numbers, and even incorporate some symbols.

On the other hand, it could be easier to pick a dedicated password manager application that would generate robust passcodes and tell you how to strengthen passwords you have already created on your own. Cyclonis Password Manager is free to use, and it provides an easy to use password generator that can generate unique combinations from up to 32 characters. What's more, not only it ensures password security by placing all your passcodes in an encrypted vault, but also has an auto login feature for a faster sign-in process. This way you would not have to remember any of your passwords, except a master password you pick yourself. We even have a blog post full of tips on how to create a strong and yet memorizable master password.

All in all, it seems many popular websites do not see a need to provide password guidance to their users despite knowing weak password are still one of the reasons why some accounts get hijacked. As Steve Furnell said, "much has continued to be written about the failings of passwords and the ways in which we use them, but little is being done to encourage or oblige us to follow the right path." In other words, it is still up to all of us to take care of our password security. Thus, the next time you register on some website, we urge you to remember the tips on how to pick a complex password we just discussed, even though the web page sign up form may not require to do so.

September 12, 2018

Leave a Reply