A detailed analysis of password policies and authentication controls for widely-used websites hadn’t been conducted and seemed to be a daunting effort. To address this I supplemented automated and semi-automated data collection with the utilization of low-cost marketplaces like Amazon Mechanical Turk and the implementation of a system which allows volunteers to add, update, and modify data. I will cover my methodology, analysis of the collected data, challenges, lessons learned, and future plans.sites’ Password Policies and Controls.
Steve Werby is an independent information security consultant and security architect for a Fortune 200 company. He previously led enterprise information security programs for 3 large organizations and has presented at conferences such as DerbyCon, SOURCE Seattle, Hack3rCon, SecTor, ShmooCon, and OWASP LASCON. He is proud of the fact that he hasn’t signed his name the same way twice since 2009.