Three-quarters of the world’s most popular English-language websites still allow people to choose the most common passwords such as “abc123456” and “[email protected]$$w0rd.”
More than half of the 120 top-ranked websites also allow all 40 of the most common leaked and easily guessed passwords. The sites include popular shopping portals such as Amazon and Walmart, social media app TikTok, video streaming site Netflix and the company Intuit, maker of the tax-return software TurboTax that millions of people in the US use.
Amazon told New Scientist that it recommends users set up two-step verification and that the company may “require additional authentication challenges during sign-in” if it detects a security risk. Intuit chief architect Alex Balazs said he would investigate the findings and highlighted Intuit’s use of multi-factor authentication and fraud detection. The other companies mentioned above did not respond to New Scientist’s request for comment.
“It’s tempting to conclude that companies just don’t care about users’ security, but I don’t think that’s right… letting accounts get hacked is not at all in their interest,” says Arvind Narayanan at Princeton University.
To perform the analysis of English-language websites ranked as popular by various internet services, Narayanan and his colleagues manually checked 40 passwords on each site. Using each site’s password requirements, they selected 20 passwords from a randomised sampling of the 100,000 most frequently used passwords found in data breaches, along with the first 20 passwords guessed by a password cracking tool.
Only 15 websites blocked all 40 of…