The Password Thicket: Technical and Market Failures in Human Authentication on the Web
The authors report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Their study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, they found many subtle but important technical variations in implementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of clear-text passwords in server databases, and little protection of passwords from brute force attacks.