Password-based authentication websites including online giants Amazon and LinkedIn could have security loopholes, according to a new study.
The majority of the world’s ten most visited websites provide little or no information about password security controls to users when creating and updating accounts, according to new research.
The study, ‘Password practices on leading websites – revisited’ by Plymouth University, assessed authentication methods used online including password strength requirements, usage methods and reset requirements.
"Many people have numerous password-protected accounts, which collectively end up holding a wealth of sensitive data,” said Professor Steven Furnell, director of the Centre for Security, Communications and Network Research at Plymouth University.
"For their most crucial accounts, such as online banking, they will often be required to use stronger authentication methods, but in other cases, when they have multiple accounts, they often use similar passwords, leaving them more vulnerable to potential hackers.”
The selection of the ten websites – Google, Facebook, Yahoo!, Wikipedia, Twitter, Amazon, Microsoft Live, LinkedIn, Wordpress.com and Pinterest – was based on the global Alexa rankings.
The analysis looked at whether advice was offered to users when they were creating accounts, changing or resetting passwords, with emphasis on length, alphanumerical inclusion and prevention of predictable choices.
"If these companies and others were to include simple explanations about enhancing password security, and some better enforcement of good practice, the extent of our collective online security could be dramatically improved,” said Prof Furnell.
"In many cases, there is a fear about creating barriers which would stop people signing up to their service. But recent cybersecurity incidents have shown that securing passwords and providing informed guidance has never been more crucial."