Largest study of its kind shows outdated password practices are putting millions at risk

Three out of four of the world's most popular websites are putting tens of millions of users and their data at risk by failing to meet minimum password requirement standards.

The findings are part of a new Georgia Tech cybersecurity study that examines the current state of password policies across the internet.

Using a first-of-its-kind automated tool that can assess a website's password creation policies, researchers also discovered that 12% of websites completely lacked password length requirements.

Assistant Professor Frank Li and Ph.D. student Suood Al Roomi in Georgia Tech's School of Cybersecurity and Privacy created the automated assessment tool to explore the Google Chrome User Experience Report (CrUX), a database of 1 million websites and pages.

The study is based on 20,000 randomly sampled websites from the CrUX database and showed that many sites:

• Permit very short passwords.
• Do not block common passwords.
• Use ...