Blog: Researchers: Poor Password Practices Hurt Security for All

Researchers: Poor Password Practices Hurt Security for All
IDG News Service (06/07/10) Heichler, Elizabeth

University of Cambridge researchers recently completed a large study of password-protected Web sites and found that a lack of industry standards harms end-user security. Weak implementations of password authentication at low-level sites compromises the protections offered by higher-security sites because individuals reuse passwords, write Cambridge researchers Joseph Bonneau and Soren Preibusch. Attackers can use low-security Web sites such as news outlets to learn passwords associated with specific email addresses, and then use those passwords to access higher-security sites such as e-commerce vendors, Bonneau says. Based on data collected from 150 Web sites, the researchers say they found widespread, poor design choices, inconsistencies, and mistakes. "Sites' decisions to collect passwords can be viewed as a tragedy of the commons, with competing Web sites collectively depleting users' capacity to remember secure passwords," write the researchers. More than 75 percent of sites examined failed to provide users with feedback or advice on choosing a secure password. The researchers also found widespread weaknesses in how passwords are submitted to the server when users log in.

View Full Article