The big password policy review

The password policy. That collection of arbitrary rules that defines what we can and can’t do when specifying a password. We’ve all seen them.

A swarm of differing password policies

A swarm of differing password policies

We all love password policies because they are here to help. Here to educate us and guide us all into better and safer security practices.  Here to show us all what good looks like when it comes to online security. Here to keep us all safe.

Well, that’s the theory. So we thought we’d put it to the test. To get a better handle on the subject, we conducted an audit of the password policies of some of the English-speaking world’s most popular websites – 350-ish in total.

Here’s what we found..

Consistency. Or lack thereof.

When it comes to password policy, there is little or no consistency. It’s the wild west out there. There is no such thing as a policy standard and there’s considerable variation in the demands of each policy. Some require 8 characters, others 6. Some are ok just ‘characters’. Others require a mix of specific character types – one uppercase letter, one special character. Some even check to see that you’ve not used your phone number or your user ID in there somewhere. It’s frankly a mess. Different at every turn. For us mortals at the sharp end, we just have to deal with them individually as we find them.

How many ways is it possible to ask for a ‘6 character minimum’?

  1. "Password" must be at least 6 characters in length
  2. At least 6 characters
  3. Minimum 6 characters
  4. Minimum is 6 characters
  5. Minimum of 6 characters
  6. Must be 6 characters
  7. Must be 6 letters long
  8. Must be at least 6 characters
  9. Must contain 6 characters
  10. Password (6-character minimum)
  11. Password has to be at least 6 characters
  12. Password length must be minimum 6 characters
  13. Password must be 6 characters long
  14. Password must be at least 6 characters long
  15. Password must be minimum 6 characters
  16. Passwords must be at least 6 characters in length
  17. Password must contain at least six characters
  18. Passwords must have at least 6 characters
  19. Passwords need to be at least 6 characters
  20. You must enter a password of six or more characters
  21. Your password must be at least 6 characters
  22. Your password must be at least 6 characters long
  23. Your password should be at least 6 characters

Quite a few as it turns out

Consistency is not the password policy’s strong suit. In fact, the only evidence of consistency that we could find was in the fact that one in four websites don’t even bother to tell their users what the policy is, until they break it.

From here, we’ll look at how some of the world’s most popular websites have implemented the two most common aspects of policy:

  1. Minimum password length
  2. Password composition

Minimum password length

Of the 350 or so websites that we audited, we found twelve that will merrily accept a single character password. On these sites ‘!’ would be permitted as a valid password. Whilst the majority were largely concentrated in the Shopping category, Match.com was the standout in terms of overall popularity. In 2016, Match.com is in the 1,000 most visited sites in the world.

But single character passwords are the exception. Most policies require either six or eight characters. In fact, four out of five sites visited required either six or eight characters in their passwords.

This is interesting because most of our actual passwords sit within this range too i.e. between six and eight characters in length. We know this to be the case from analysis of various high-scale website hacks that have happened over the years. You can see below that six and eight character passwords were our most popular choices in nearly all of the websites analysed.

Six and eight character passwords are our favs

Six and eight character passwords are our favs

So what’s going on here? Coincidence?

It’s tempting to think that we are all interpreting the password policy as the password recipe i.e. something that should be followed to the letter rather than taken as a piece of good advice. If it says ‘6 character minimum’, then 6 characters it is. No more. No less. It’s almost like folks are trusting the password policy to be secure. In the same way that they might lean on the railings of a fourth floor balcony trusting that it won’t come unhinged. If it says 6 characters, then I’m going to be safe with 6 characters, right?

POP QUIZ:

If a website specifies a minimum password length of 6 characters, which option below best describes what you would typically do?
FUN FACT: The average minimum password length requirement is 6.4 characters.

The World’s Worst Password (WWP)

The world’s worst password can be generated by positioning your finger on your keyboard’s ‘1’ key, and then moving right along the numbers until you hit the minimum password length requirement. For a site requiring a minimum of 6 characters in the password,

The WWP is ‘123456’

Why is this password so bad? Simply because it is the most commonly used password in the English-speaking world. As such, it is the most predictable and will be the first one anyone tries if they want to break into your stuff. A predictable password is not really a password at all. It’s more like a massive risk and a big fat waste of your time. So ‘123456’ is about as bad as it gets.

Given that pretty much everybody in the security business knows that this password is to be avoided at all costs, what percentage of the world’s finest and most visited websites actually permit the WWP?

The answer is 56%

More than half. More than half of all of the websites that we reviewed will happily let you, and everyone else, create and use the world’s most insecure password to ‘secure’ an account.

The fewer characters in the password length dictate, the better your chances of being permitted to use the WPP

The fewer characters in the password length dictate, the better your chances of being permitted to use the WPP

The support for the WPP varies in accordance with the minimum password length. Nearly all websites requiring a 4 character password will let you get away with '1234'. And three quarters of all websites requiring a 6 character password will allow '123456'. This recklessness begins to trail off as we move up the password policy food-chain. By the time we hit an 8 character minimum, less than one in five websites will let you use '12345678'. In short, the longer the minimum password length, the less likely you are to be able to use the WWP.

top website categories allowing the worlds worst passwords

Support for the WWP varies also by website category. Worst performers are websites in the Fashion, News, Reference, Shopping and Society categories, where you’ve got a pretty good (3 in 4) chance of being able to login with the WWP.

Password Composition

Strong passwords comprise four different character types - uppercase and lowercase letters, numbers and symbols. Are strong password enforced by password policies?

Yeah. There's a rounding error. But none the less, 90% of sites are happy with one or two character types in your password

Yeah. There's a rounding error. But none the less, 90% of sites are happy with one or two character types in your password

No, they are not. Only 1% of policies surveyed insist on strong passwords. 60% of policies don’t check the password composition at all. On those sites, you’re free to tap in pretty much anything, including the WWP. Slightly more secure, 30% of surveyed sites require two character types – usually lowercase letters and numbers. A final 10% requires a mix of three types.

The problem with password policies

Here’s the thing with password policies. Normal folk don’t have the time nor inclination to work out what safe and secure looks like when it comes to passwords. This was hopefully one of the design intentions of the password policy when it was first conceived - to help guide non-technical folk into making the right decisions when picking a password to secure their account. Unfortunately, in a great many cases, this just isn’t happening. The glib statement ‘Must be at least 6 characters’ is not great security advice and is not helping anyone to work out what good actually looks like in a password.

As well as not serving any educational purpose whatsoever, the password policy is failing to improve our overall levels of online security. This is because no amount of password policies are going to change human nature, and our love of the easy life. We have shown time and time again that we prefer convenience over security. We like the convenience of being able to trot out a password the instant that one is required. This necessitates that we memorise all of our passwords. But the workings and limitations of the human memory mean that our passwords have to be of a particular type in order to make it into our long term memory – our passwords have to be personally relevant and familiar. But using personal and familiar passwords puts us at risk because they can usually be easily guessed. This is why the password policy isn’t doing a great job. It was set up to fail. As long as we prioritise convenience over security, we are going to prefer to use memorable passwords. So we are going to take our personal and familiar passwords and tweak them in very predictable ways in order to comply with the password policy du jour.

Capitalising the first letter and tacking on a memorable number turns your old ‘mittens’ password into ‘Mittens2016’, which now readily complies with the majority of password policies, but remains no more secure than the original. Why? Because everyone knows that we tend to capitalise the first letter of our password and add easy-to-remember numbers on the end when required to comply with policy. Personally memorable? Yes. Secure? Not even close.

So we’ve seen that the majority of the password policies on some of the most popular websites anywhere aren’t particularly effective at encouraging better security. More than half of all websites reviewed will unflinchingly allow us to ‘secure’ our accounts with ‘123456’ and ‘12345678’. And we’ve seen that there are no standards or consistency when it comes to the formulation and presentation of policies. The whole thing feels like a missed opportunity. The chance to use the password policy to educate the non-technical majority into what constitutes good security practice seems to have been missed.  Instead, we’ve just confused everyone and forced them tweak their insecure passwords into equally insecure passwords, with a capital letter at the start and a number at the end. 

Was it really worth the bother?


Excerpt from the free Password Coach e-book