I will discuss a project to assess and rate password policies and controls from the top 10,000 websites by leveraging technology, volunteers, and low-cost marketplaces like Amazon Mechanical Turk.
A detailed analysis of password policies and authentication controls for widely-used websites appeared non-existent, so I sought to address that. Though some data could be collected programatically, many of the desired attributes are not easily collected in an automated fashion, and manual collection is time-consuming. To address this, I utilized low-cost marketplaces like Amazon Mechanical Turk and implemented a system to allow volunteers to add, update, and modify data. I will cover my methodology, an analysis of the collected data, challenges, lessons learned, and future plans. Ultimately, I hope the project will result in better awareness of poor password policies and controls, leading to positive change.
Steve Werby is an independent information security consultant and security architect for a Fortune 200 company. He previously led enterprise information security programs for 3 large organizations. He is proud of the fact that he hasn't signed his name the same way twice since 2009. In fact he's the author of RMSG - "Random e-Mail Signature Generator". Oh, and he recommends not trusting people who do not have a cool nick.