Three out of four of the world’s most popular websites are failing to meet minimum requirement standards and allowing tens of millions of users to create weak passwords, according to a new Georgia Tech cybersecurity study that examines the current state of password policies across the internet.

Using a newly created automated tool that can assess a website’s password creation policies, researchers discovered that 12 percent of websites completely lacked password length requirements.

Assistant Professor Frank Li and Ph.D. student Suood Al Roomi in Georgia Tech’s School of Cybersecurity and Privacy created the automated assessment tool to explore all sites in the Google Chrome User Experience Report (CrUX), a database of one million websites and pages.

Li and Al Roomi’s method of inferring password policies succeeded on over 20,000 sites in the database and showed that many sites permit very short passwords, don’t block common passwords and use outdated requirements like complex characters.

Only a few websites follow standard guidelines fully, while most stick to outdated guidelines from 2004, the researchers found.

The project was 135 times larger than previous works that relied on manual methods and smaller sample sizes.

More than half of the websites in the study accepted passwords with six characters or less, with 75 percent failing to require the recommended eight-character minimum. Around 12 percent of had no length requirements, and 30 percent did not support spaces or special characters.

Just 28 percent of the websites studied enforced a password block list, putting thousands of sites at risk to cyber criminals who could use common passwords to break into a user’s account, also known as a password spraying attack.

“Both Professor Li and I were excited to take on the challenge,” said Al Roomi. “With his guidance and our continuous work on both algorithm design and the measurement technique, we were able to fully develop an automated measurement of password creation policy and apply it at scale.”

Al Roomi and Li designed an algorithm that automatically determines a website’s password policy. With the help of machine learning, the pair could see the consistency of length requirements and restrictions for numbers, upper- and lower-case letters, special symbols, combinations, and starting letters. They could also see if sites permitted dictionary words or known breached passwords.

“As a security community, we’ve identified and developed various solutions and best practices for improving internet and web security,” said Li. “It’s crucial that we investigate whether those solutions or guidelines are actually adopted in practice to understand whether security is improving in reality.”

The project began during the height of the pandemic when Al Roomi found a gap in the research literature surrounding website password policies. Through his reading, he discovered that a consensus of his peers did not think a large-scale survey of password policies was possible due to the variety of web design.

“It was exciting to see an identified challenge in the literature and to develop and apply a vision we turned into the measurement tool,” said Al Roomi.