An Empirical Study of Password Policy Compliance

Abstract

Cybersecurity exploits that take advantage of weak passwords continue to succeed in virtually every industry. This motivates interest in empirically determining the extent to which websites that invite visitors to create new user accounts on them encourage or require users to engage in better password management practices, including strong passwords. This project examined a statistically significant sample of websites to assess how closely they voluntarily adhere to the National Institute of Standards and Technology’s authoritative guidance on password policies. Over 100 representative websites were selected from industries that consistently report the most breaches in the Verizon Data Breach Investigation Report. Their respective user account creation processes were assessed via a scorecard approach based on observations collected when following standardized experimental procedures. Scorecard data then were aggregated and analyzed for trends. The research findings highlight potential vulnerabilities that persist in online account password creation practices, leaving many websites susceptible to brute force attacks due to cyber hygiene lapses. Recommendations to help remediate compliance gaps and as paths forward to build upon this work include refining the proposed scorecard, creating and using standardized user registration and profile manager plugins, widely adopting user-friendly password management tools, and enacting tougher legal consequences for website hosts when breaches occur.