Evaluating Password Composition Policy and Password Meters of Popular Websites

Kyungchan Lim, Joshua H Kang, Matthew Dixson, Hyungjoon Koo, and Doowon Kim

Abstract
Password-based authentication is one of the most commonly adopted mechanisms for online security. Choosing strong passwords is crucial for protecting ones' digital identities and assets, as weak passwords can be readily guessable, resulting in a compromise such as unauthorized access. To promote the use of strong passwords on the Web, the National Institute of Standards and Technology (NIST) provides website administrators with password composition policy (PCP) guidelines. We manually inspect popular websites to check if their password policies conform to NIST's PCP guidelines by generating passwords that meet each criterion and testing the 100 popular websites. Our findings reveal that a considerable number of web sites (on average, 53.5 %) do not comply with the guidelines, which could result in password breaches.

Reference
Kyungchan Lim, Joshua H Kang, Matthew Dixson, Hyungjoon Koo, and Doowon Kim. 2023. Evaluating password composition policy and password meters of popular websites. In Proceedings of the 4th SecWeb Workshop. IEEE.

Downloads