A large-scale study of password-protected Web sites revealed a lack of standards across the industry that harms end-user security, according to two researchers working at the University of Cambridge in England.