Thank you for this compilation - now what to do...

[torarebel]

I am thankful that so many people have been willing to create this list.

Thank you!

We now have an ever-growing list of those that have it wrong.
And it appears from this list that most sites have it wrong.

Here's a challenge:
Tell us your preferred password policy that:

• balances usability with security, and
• supports popular password managers and generators, and
• will work at least on popular desktop and mobile browsers and in mobile apps.

Not kidding! Come up with a "good" password policy - so at least when one of these sites fixes their password policy, you can kindly and unarguably remove them from the shame list.

You will be doing the world a great service! Then at least if everyone adopts your policy, everyone will have better passwords, and people can use passwords that follow a pattern even though not the same since everyone reading this knows you SHOULD (RFC 2119) use a different password everywhere.

Once you come up with that, comb through your list again and see if any site is already compliant.

Thank you - sincerely - thank you!

[nitrocode]

Id like to see a way to get websites off of the list as well. Id imagine best practices would calculate entropy, maximum of 64 characters, and no copy paste prevention. As a bonus it would check passwords against already used ones in breaches using the troy hunt api.

[duffn]

As far as getting sites off of the list, PRs are certainly welcome to remove sites if they have improved the password rules.

And though I don't have any plans to work on an automated mechanism to remove sites, I am always open to new ideas and PRs.

[nitrocode]

@duffn what are your thoughts on best practices? or perhaps this can be a bit more tongue in cheek by listing

Ways to get on this list

Make sure to...

Major:

• Break your website depending on the password
  • probably susceptible to all kinds of attacks. I wouldn't touch the website if it did this.
• Allow longer passwords in the field and then trim the password to some arbitrary length
  • it puzzles me that companies do this. only reason I can think is that they are storing the passwords in clear text and are limited by the their db table scheme field size.
• Disable pasting requiring a browser extension to use a password manager
  • super annoying because it inadvertently disables password managers
• Password is manipulated without you knowing. For example case sensitivity is disallowed and all passwords will be lowercased upon submission
  • awful
• rules are hidden and you sit wondering why you can't sign up
• Enforce a maximum number of characters less than 32
• Enforce usage or not usage of certain characters

Low:

• Calculate strength based on rules that have nothing to do with entropy
• anything else that is deemed as dumb

[four43]

I like the idea of having a shame list, but I also like the idea of having actional best practices too to help those learn and get off the list.

[allan-simon]

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md

[medmunds]

Likely many of the companies and organizations on this list got here because they were trying to follow what were at one time promoted as best practices for password management. (Or what their security consultants told them were the standards.)

And often, the people who see their organization in this list will be developers or other staff who aren't actually in charge of making decisions about password requirements. That is, they know what they're doing is outdated, but may not have the authority to take action.

I'd guess what's most useful for those folks would be updated standards and guidelines—from authoritative sources—that they can provide as evidence to the decision makers in their organizations. The OWASP cheatsheet above is one example. Here are a few more from government agencies:

• The UK National Cyber Security Center has a very readable Advice for system owners responsible for determining password policies and identity management within their organisations
• The US National Institute of Standards and Technology has Digital Identity Guidelines. It reads like a standards document. Section 5.1.1 specifies password requirements and non-requirements ("memorized secrets"), but then Appendix A discusses the rationale behind the requirements that avoid a lot of the (now-)dumb practices found in the sites listed here.

[georgehank]

Good password policy: a minimum length, and that's it, and that's also pushing it.

Everything else is by definition dumb, as in: the more restrictive you go, the more people will use the simplest possible that complies. I once had (for local router password…) "UPPERlower1" because those were the rules. For a router that is only accessible from the local network, and where I was the only person on said network.

[toraarebel]

@georgehank Agreed!

[duffn]

I'll happily welcome any more discussion about how to best remove yourself from this list. There's even been some work on some guidelines here #219