I take password security very seriously. I’ve already written about how people can improve their password habits to keep themselves safe. This piece, however, is for those of you who build websites which provide password-related functionality. This is a list of password crimes that some websites commit. I’ve described these crimes, then point out some criminals (a.k.a., websites) which commit these crimes. (This list is not guaranteed to continue to be up-to-date. This post represents a snapshot in time, and is accurate as of early June 2014 when the first draft of this post was written.

My friend Michelle recently explained to me that password is a perfectly valid password to use. Her reason? “People always say not to use it. So now that nobody uses it anymore, it’s totally secure again!” How I’d Hack Your Weak Passwords In this case, Michelle made a fatal assumption. She assumed that human beings would be manually typing in guessed passwords. What she failed to understand is that it’s really, really easy for any off-the-shelf computer to chew through possible passwords at an incredible pace.

I recently wrote about the work I did to change every single password I had into ones that were unique for every site, and far more difficult to brute-force due to their long and randomized nature. As part of this exercise, I was essentially trying to change 250 passwords on 250 websites as quickly as possible. When you do this, you end up seeing trends and patterns across unrelated sites that you might not have noticed otherwise. Observations Here are some of the patterns I observed about how websites manage passwords:

I learned at a relatively young age what makes a good password versus a bad password, and I’ve tried to always use these qualities in the passwords that I choose. The Problem Unfortunately, even with the best intentions, you inevitably end up re-using one or a few passwords across every single website you log into. Some people do things as dumb as using the name of their significant other. Or their pet. Or a birthdate. Or something else equally guessable by one of the many supercomputers that exist (whereby “supercomputer”, I mean pretty much any computer invented in the past 5–7 years).