Research: poor password practices hurt security for all

In a paper presented at the Workshop on the Economics of Information Security in Cambridge, Massachusetts, Joseph Bonneau and Soren Preibusch asserted that:
Attackers can use low-security Web sites such as news outlets to figure out passwords associated with certain e-mail addresses, and then use those passwords to access accounts at higher-security sites such as e-commerce vendors.

In an effort that the researchers said is the largest empirical investigation into password implementations to date, they collected data from 150 web sites and found widespread "questionable design choices, inconsistencies, and indisputable mistakes," according to Bonneau and Preibusch.

The researchers seemed disinclined to blame users for re-using passwords or making them easy to guess, arguing that most users have too many online accounts to manage them all securely.

"Sites' decisions to collect passwords can be viewed as a tragedy of the commons, with competing Web sites collectively depleting users' capacity to remember secure passwords," they wrote.

The large majority -- 78 percent -- of sites examined failed to provide users with feedback or advice on choosing a strong password. Only five sites let the user register password hints, a strategy that will encourage users to come up with stronger passwords.

Just seven sites required users to mix numbers and letters, and only two demanded that passwords include non-alphanumeric characters as well.

Read the full article at: http://www.pcworld.com/businesscenter/article/198207/researchers_poor_pa...

Research paper: The password thicket: technical and market failures in human authentication on the web
http://preibusch.de/publications/password_market/