You would think that Amazon, Reddit, Wikipedia and other highly popular websites would by now tell you that “password1” or “hunter2” is a terrible password — just terrible. But they don’t. A research project that has kept tabs on the top sites and their password habits for the last 11 years shows that most provide only rudimentary password restrictions and do little to help users.

Steven Furnell, of the University of Plymouth, first did a survey of websites’ password practices in 2007, repeating the process in 2011 and 2014 — and then once more this week. His conclusions?

It is somewhat disappointing to find that the overall story in 2018 remains largely similar to that of 2007. In the intervening years, much has been written about the failings of passwords and the ways in which we use them, yet little is done to encourage or oblige us to follow the right path.

Although the university writeup notes that Google, Microsoft and Yahoo had the best password practices and Amazon, Reddit and Wikipedia had the worst, it diplomatically declined to go into specifics. Fortunately, I acquired the paper for myself and am prepared to name and shame.

The top 10 unique sites in English (as measured by Alexa; the lineup has changed somewhat over the years) were evaluated: Google, Facebook, Wikipedia, Reddit, Yahoo, Amazon, Twitter, Instagram, Microsoft Live and Netflix.

The biggest failure is inarguably Amazon, which combines truly inadequate password controls with an incredibly valuable and personal service. Wikipedia and Reddit had fewer restrictions, but neither protects such important data; an Amazon account being accessed by malicious actors is a far greater danger.

Amazon accepted practically every password Furnell threw at it, including repeats of the username, the user’s own name and, of course, the all-time classic, “password.” (Netflix and Reddit also took “password,” though Wikipedia didn’t. Wikipedia, on the other hand, accepted single-character passwords like “b.”)

Even sites that do have restrictions, like requiring multiple character types or rejecting commonly used passwords, seldom explain themselves. Presented with no feedback at the start, users creating an account may enter a password, only to be told it must be longer… and then, again, that it can’t have a certain word (like the user’s last name)… and then, again, that it must include special characters. And some sites have different requirements when you sign up than when you set a new one!

Why not lay it all out at the start? And for that matter, why not explain the reasoning behind it? It’d be trivial to make a little info box saying “We require X because Y.” But hardly any of the top sites do.

The one bit of light in this dreary report is that two-factor authentication — arguably more important than a good password — is in fact making strides, and some of the worst offenders in password policy (looking at you, Amazon) allow it. Now they just have to move it off of SMS and onto a secure authenticator app.

The final word is pretty the same as it’s been for the last decade:

The basic argument here – as with the earlier versions of the study and the others referenced – is for provision of user-facing security to be matched with accompanying support. Passwords are a good example because we know that many people are poor at using them. And yet the lesson continues to go unheeded and we continue to criticise the method and blame the users instead.

Two-factor is a start, but:

Users arguably require more encouragement – or indeed obligation – to use them. Otherwise, like passwords themselves, they will offer the potential for protection, while falling short of doing so in practice.

In other words, quit talking about how bad passwords are and do something about it!