Crunching the Top 10,000 Websites' Password Policies and Controls

Passwords13 Las Vegas

Presented by: Steve Werby
Date: Wednesday July 31, 2013
Time: 13:00 - 13:50
Location: Main Room
Track: Passwords13

I will discuss a project to assess and rate password policies and controls from the top 10,000 websites by leveraging technology, volunteers, and low-cost marketplaces like Amazon Mechanical Turk.

A detailed analysis of password policies and authentication controls for widely-used websites appeared non-existent, so I sought to address that. Though some data could be collected programatically, many of the desired attributes are not easily collected in an automated fashion, and manual collection is time-consuming. To address this, I utilized low-cost marketplaces like Amazon Mechanical Turk and implemented a system to allow volunteers to add, update, and modify data. I will cover my methodology, an analysis of the collected data, challenges, lessons learned, and future plans. Ultimately, I hope the project will result in better awareness of poor password policies and controls, leading to positive change.

Steve Werby

Steve Werby is an independent information security consultant and security architect for a Fortune 200 company. He previously led enterprise information security programs for 3 large organizations. He is proud of the fact that he hasn't signed his name the same way twice since 2009. In fact he's the author of RMSG - "Random e-Mail Signature Generator". Oh, and he recommends not trusting people who do not have a cool nick.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats