Password practices of internet companies
A login interface for representation onlyPixabay

A decade of research on the security practices of the world's biggest internet companies like Amazon, Reddit, and Wikipedia has shown a disappointing result.

Professor Steve Furnell from the University of Plymouth found out that most of the top 10 English-speaking websites have done little to no guidance "to encourage or oblige" users to follow a secure way to protect their accounts. Furnell started the study in 2007 and came up with similar results in 2011 and 2014.

The study dove deeper into the password practices of Google, Facebook, Amazon, Twitter, Reddit, Yahoo, Microsoft Live, Wikipedia, Instagram, and Netflix. It sought to understand whether users of these internet giants were supervised when creating an account, changing or resetting their password, and the extent of the guidance implemented.

'Little Is Being Done'

In 2007, Furnell's initial research had brought him to a conclusion that these web platforms offer little to no advice guidance on how to create a strong password. Even more surprising for Furnell is that, after 10 years, some of these platforms still allow the word 'password,' single-character passwords, and basic words such as a user's last name to be the passwords themselves.

"With over ten years between the studies, it is somewhat disappointing to find that the overall story in 2018 remains largely similar to that of 2007. In the intervening years, much has continued to be written about the failings of passwords and the ways in which we use them, but little is being done to encourage or oblige us to follow the right path."

Professor Steve Furnell
Professor Steve FurnellUniversity of Plymouth

Google, Microsoft Live, and Yahoo are the top three sites for having the best guidance offered. Meanwhile, Amazon, Reddit, and Wikipedia have the least favourable provisions, with e-commerce titan Amazon falling behind on the list.

"With personal data now being guarded more closely than ever, providing clear and upfront guidance would seem a basic means through which to ensure users can be confident that the information they are providing is both safe and secure."

Improved Security Practices

Some improvements in security practices since 2014 include the restriction to use the term 'password' as a password, as well as the addition of authentication processes from three websites in 2011 to eight in 2018.

Furnell said the addition of two-step verification and two-factor authentication options is positive. Still, he stressed that internet companies need to enforce these options.

"Users arguably require more encouragement or obligation to use them otherwise, like passwords themselves, they will offer the potential for protection while falling short of doing so in practice."