A spark is enough in a straw world: a study of websites password management in the wild.

With the entry into force of the General Data Protection Regulation (GDPR), in the May 25th 2018, the European Parliament, together with the Council of the European Union and the European Commission, aim to strengthen the data protection for all the European citizens. The organizations or individuals that collect, process, or analyze data of European Union citizens, in case of non-compliance with the regulation, are subject to heavy penalties ranging from 10-20M euros to 2-4% of the annual worldwide turnover of the previous financial year (in case of an enterprise). In this paper we first provide a survey of both user authentication mechanisms implemented by websites and password recovery mechanisms currently adopted. Subsequently, we provide a thorough analysis of the password management of the Alexa's top 200 websites in different countries, including England, Germany, and Italy, by pointing out that almost 43% of websites are affected by vulnerabilities that can compromise users' identities on the web. Then we model an attacker with different capabilities and we show how websites' vulnerabilities can be exploited to carry on many attacks; finally we propose several effective countermeasures and we point out that most of websites are far from being ready for the compliance with the regulation and may incur in the aforementioned unsustainable penalties.