I will discuss a project to assess and rate password policies and controls from the top 10,000 websites by leveraging technology, volunteers, and low-cost marketplaces like Amazon Mechanical Turk.
A detailed analysis of password policies and authentication controls for widely-used websites appeared non-existent, so I sought to address that. Though some data could be collected programatically, many of the desired attributes are not easily collected in an automated fashion, and manual collection is time-consuming. To address this, I utilized low-cost marketplaces like Amazon Mechanical Turk and implemented a system to allow volunteers to add, update, and modify data. I will cover my methodology, an analysis of the collected data, challenges, lessons learned, and future plans. Ultimately, I hope the project will result in better awareness of poor password policies and controls, leading to positive change.