Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password policy gaps on major sites: what IAM teams should fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: Princeton University researchers found only 15 of 120 popular English-language websites met their password policy best-practice test, showing that weak password rules and usability trade-offs remain widespread across high-traffic services, according to Bitwarden’s summary of the study. Stronger password guidance still matters because authentication failure remains a major breach pathway, but organisations must remove policy friction that drives poor user behaviour.

NHIMG editorial — based on content published by Bitwarden: Princeton researchers' password policy study of 120 major websites

Questions worth separating out

Q: How should organisations design password policy for modern IAM programmes?

A: Start with length, blocklist common passwords, and avoid character-class rules that add friction without improving real guessability.

Q: Why do strict password composition rules often fail in practice?

A: They usually increase memorisation burden without preventing reuse, predictable substitutions, or credential stuffing.

Q: What signals show that password policy is not working?

A: High reset volume, repeated failed logins, predictable password choices, and ongoing account takeover attempts are all warning signs.

Practitioner guidance

  • Replace character-class rules with length-first policy Set minimum password length to at least 8 characters, then prefer longer passphrases where the application and user population permit it.
  • Deploy password blocklists at creation time Reject the most common leaked and easily guessed passwords before account creation completes.
  • Use accurate strength meters only where they reflect guessability If you use a strength meter, validate that it measures resistance to guessing rather than just scoring complexity.

What's in the full article

Bitwarden's full post covers the operational detail this post intentionally leaves for the source:

  • Bitwarden's side-by-side comparison of its own bank-password criteria and the Princeton study methodology.
  • The full discussion of the password-policy questions Bitwarden used when grading bank login experiences.
  • Additional context on why password transparency matters for user behaviour and organisational accountability.
  • Bitwarden's commentary on how its earlier banking review relates to the broader Princeton findings.

👉 Read Bitwarden's analysis of Princeton's password policy study →

Password policy gaps on major sites: what IAM teams should fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Weak password policy is still a human IAM governance problem, not a legacy UX detail. The Princeton findings show that many organisations still rely on password rules that look strict but do little to improve resistance to guessing. That matters because policy choices shape user behaviour, account takeover exposure, and help-desk burden at the same time. IAM teams should treat password guidance as a control surface, not a settings page.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

A question worth separating out:

Q: What should identity teams prioritise after reviewing weak password policies?

A: They should prioritise the full authentication journey, including recovery, MFA enrolment, and account lockout behaviour, not just the password field. A good policy reduces guessability, supports user adoption, and limits the conditions that let attackers exploit reused or predictable credentials.

👉 Read our full editorial: Password policy research shows most major sites still miss best practice



   
ReplyQuote
Share: