Crunching the Top 10000 Websites' Password Policies and Controls [Presented by Steve Werby at richSEC 2013]

Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Crunching the Top 10,000 Websites'
Password Policies and Controls
Steve Werby
Security Researcher

Security...
architect => day
researcher => night
Infosec since 1999
Former (CISO)3
BS Industrial Engineering, MBA, certs
Presented at Hack3rCon, SecTor, DerbyCon, ShmooCon,
ConSec, SOURCE Conference, LASCON, BSidesDFW, VA SCAN, EDUCAUSE,
InfraGard, OWASP, ISSA, AITP, IEEE, …


Have a question? Ask!

Have a comment? Share!

I’ll ask some questions too.

Has an in-depth analysis of password policies
and security controls for a large number of popular
sites been performed?

Are sites doing a good job at protecting user
accounts?
How much control do security-conscious users
have?

What sites to inspect?
What attributes to collect?
How to gather the data?

Use what you know
Alexa collects and shares information about websites (owned by Amazon)
Data gathered via browser toolbar installed on millions of computers
Ranking based on 3 months average of daily unique visitors + page views
alexa.com
Look up individual sites to find global and US ranking
Top 500 global sites (http://www.alexa.com/topsites)
Top 500 sites by country (http://www.alexa.com/topsites/countries)
Top 1,000,000 global sites (http://s3.amazonaws.com/alexa-static/top-1m.csv.zip)

1. google.com
2. facebook.com
3. youtube.com
4. yahoo.com
5. baidu.com
6. wikipedia.org
7. live.com
8. qq.com
9. amazon.com
10. twitter.com
11. blogspot.com
12. taobao.com
13. linkedin.com
14. google.co.in
15. yahoo.co.jp
16. sina.com.cn
17. ebay.com
18. bing.com
19. msn.com
20. google.co.jp
21. yandex.ru
22. wordpress.com
23. google.com.hk
24. google.de
25. vk.com
26. google.fr
27. google.co.uk
28. weibo.com
29. 163.com
30. microsoft.com
31. tumblr.com
32. babylon.com
33. mail.ru
34. googleusercontent.com
35. pinterest.com
36. fc2.com
37. google.com.br
38. conduit.com
39. google.ru
40. amazon.co.jp
41. paypal.com
42. ask.com
43. craigslist.org
44. blogger.com
45. xhamster.com
46. google.it
47. apple.com
48. xvideos.com
49. google.es
50. imdb.com
10000. oursogo.com
What sites to inspect (global top 10k)?

Getting the Alexa Top 10,000 for the US
Alexa Top Sites (http://aws.amazon.com/alexatopsites/)
Requires Amazon Web Services (AWS) account, sign up for Alexa Top Sites
API that costs $0.0025 per URL returned ($2.50 for 1,000 URLs)
Requires access key and secret key generated via AWS
Getting the data
Read API reference
Grab sample code (Java, Perl, PHP, Ruby)
Pick PHP for spite; modify to meet my needs
Wrap in Bash script
for ((i=0;i<100;i++)); do START=$(echo "$i*100 +1" | bc); RECORDS=100;
php ./amazon_alexa.phpc <access_key> <secret_key> US $RECORDS $START
| tail -$RECORDS >> alexa_us.txt; done

1. google.com
2. facebook.com
3. youtube.com
4. yahoo.com
5. amazon.com
6. bing.com
7. wikipedia.org
8. ebay.com
9. craigslist.org
10. linkedin.com
11. twitter.com
12. live.com
13. blogspot.com
14. go.com
15. pinterest.com
16. msn.com
17. aol.com
18. tumblr.com
19. cnn.com
20. netflix.com
21. ask.com
22. huffingtonpost.com
23. instagram.com
24. paypal.com
25. weather.com
26. espn.go.com
27. wordpress.com
28. conduit.com
29. bankofamerica.com
30. imdb.com
31. chase.com
32. apple.com
33. microsoft.com
34. yelp.com
What sites to inspect (US top 10k)?
35. about.com
36. walmart.com
37. imgur.com
38. comcast.net
39. pornhub.com
40. foxnews.com
41. avg.com
42. wellsfargo.com
43.
googleusercontent.com
44. xvideos.com
45. xhamster.com
46. nytimes.com
47. adobe.com
48. reddit.com
49. nbcnews.com
50. cnet.com
10000. photoblip.com

Minimum and maximum password length
Password composition requirements
Use of SSL + cookie settings to protect against session hijacking
Anti-CSRF controls
HTTP headers to protect against XSS
Ability to bypass account creation and leverage OAuth providers or OpenID
Password strength meter or strength indicator
2-factor authentication or 2-step authentication
Active logins and login history
CAPTCHA usage on login
Brute force login detection/prevention
Randomness and strength of session IDs
Security question options
Forgotten password options
Education on how and why to create strong password
Server password storage format and hashing details
What attributes to collect?

Inspecting sites without a firm plan
Started with 20 attributes
Inspected sites, collected data, made notes, added/deleted/modified attributes:
maximum password length => maximum password length accepted on creation
maximum password length displayed
when maximum password length is displayed
maximum password length accepted on change
maximum password length accepted on login
password emailed after account creation
Noticed patterns:
Non-English sites, no user accounts, user accounts but no way to register, costs $
Sites with no internal accounts, only third-party OAuth authorization

Finding meaning in the chaos
Min length, user education
2FA, last login details
Security questions
SSL, cookie session ID attributes
CAPTCHA, brute force lockout
Password sent in plain text
Previous leaks, response to vulns
Password strength
Unauthorized access prevention/detection
Password recovery (authentication bypass)
Authentication bypass
Attack detection/prevention
Password storage
Breach and vulnerability history

Inspecting sites without a firm plan (continued)
Determined efficient workflow for data collection
Estimated effort for data collection
Determine whether site has in-scope account creation = 20 seconds
Manual collection of AYCE attributes = 2-8 minutes (average of 4)
Manual collection of diet attributes = 1-4 minutes (average of 2)
70% of sites in-scope
10,000 * (1-0.7) * (20/60) = 1,000 minutes = 17 hours
10,000 * (0.7) * 2 = 14,000 minutes = 234 hours
251 hours total = 126 days @ 2 hours per day
Above ignores semi-automated data collection (brute force attacking, etc.)

A better way?
Ask the sites for the data
Blackmail people and force them to collect data
Hire a part-time worker
Partners
Crowdsourcing - paid and unpaid

Preparing the data
Broke data up into 6 blocks
1-100, 101-250, 251-500, 501-1000, 1001-5000, 5001-10000
Established 3 tiers of attribute breadth and granularity
Tier 1: 1001-5000, 5001-10000 => 18 attributes
Tier 2: 101-250, 251-500, 501-1000 => 22 attributes
Tier 3: 1-100 => 65 attributes
Randomized sites within blocks
cat $INPUT_FILE | awk 'BEGIN{srand();}{print rand()"t"$0}'
| sort -k1 -n | cut -f2- > $OUTPUT_FILE

Crowdsourcing - unpaid
Solicited contributors
Great response rate
Twitter (11), Facebook (3), LinkedIn (0), Google+ (didn't bother), family (1)
Divided (and conquered?)
Divided blocks up into chunks of 20 sites
Assigned 1 control site, 19 unique per spreadsheet
Emailed 1 to n spreadsheets to each volunteer

Crowdsourcing - unpaid

Validating accuracy of the results
Crowdsourcing (unpaid)
Compared control site data for multiple contributors
Random sampling and comparison to internal data collection
92% of results matched

Crowdsourcing - paid
More Amazon – this time, Amazon Mechanical Turk
Launched November 2005
Requesters post HITs (Human Intelligence Tasks) with a set compensation
Providers (aka Turkers) search for HITs, select them, complete them
Requesters can accept or reject completed HITs
Typical HITs are very simplistic

Validating accuracy of the results
Crowdsourcing (paid)
Created 3 HITs for each site; only paid if 2 matched
84% of results matched (vs. 92% for unpaid)

What was collected
Processed
Tier 3: 1-100 (100% of sites)
Tier 2: 101-250 (91%), 251-500 (73%), 501-1000 (53%)
Tier 1: 1001-5000 (18%), 5001-10000 (7%)
Account registration was performed on 59% of sites analyzed
Reasons it wasn't:
Other => 26%
Not a site with user accounts => 25%
No way to register found => 21%
Cost money or required credit card => 15%
Adult content => 6%
Site not in English => 4%
Can only sign in using a 3rd
party site => 2%
Site wouldn't load => 2%

Findings
Possible to sign in without creating an account, by signing in with another identity
provider?
Yes => 40%
No => 60%

Findings
Minimum password length?
1 => 11%
2 => 1%
3 => 2%
4 => 8%
5 => 12%
6 => 46%
7 => 4%
8 => 16%
9+ => 0%

Findings
Maximum password length?
1-3 => 0% 17-19 => 2%
4 => 1% 20 => 15%
5-9 => ~0% 21-24 => 1%
10 => 3% 25+ => 54%
11 => 1%
12 => 6%
13 => ~0%
14 => ~0%
15 => 10%
16 => 7%
Seemingly limitless
Quit at 8,192 chars no limit detected (tried 40 numbers-no problem)
500+ (no limit)
it accepted 26 characters
30+

Findings
When is the minimum password length displayed?
Only if password is unacceptable => 48%
Before entering password => 30%
Never => 17%
Other => 3%
If click link/icon for more info => 2%
When is the maximum password length displayed?
Never => 63%
Before entering password => 18%
Only if password is unacceptable => 17%
Other => 2%

Findings
Password composition requirement?
Yes => 25%
No => 75%

Findings
Does the login destination page use SSL?
Yes => 53%
No => 36%
Unknown => 11%

Findings
Is the password automatically emailed after account creation?
Yes => 2%
No => 98%

Findings
Does the site discourage users from using same password used elsewhere?
Yes => 4%
No => 96%

Findings
Does the site educate users on how to create a strong password?
Yes => 8%
No => 92%

Findings
Is there a password strength meter or indicator?
Yes => 17%
No => 83%

Findings
Is it possible to have an email sent as part of forgotten password process?
Yes, code or URL sent => 76%
Yes, new password sent => 7%
Yes, current password sent => 4%
No => 14%
Are security questions even necessary or appropriate?

Findings
Is 2FA or 2-step authentication an option?
Yes => 5%
No => 95%

Learning the hard way

Learning the hard way
Some data is difficult to gather (min and max password length for example)
There's a better iterative way to gather and validate the data
Keep it simple if you want Turkers to be interested and for them to perform well
Test, test, test...and get input from technical and non-technical peers

Contributors
Tanya Buresh-Werby (@tbwerby) Name Withheld (@Trojan7Sec)
Adam Sealey (@adamsealey Name Withheld #3
Raymond Umerley (@rayumerley) Name Withheld #4
Greg Pendergast (@greg_pendergast) Name Withheld #5
Jess Rutherford (@jofo) Name Withheld #6
Paul Melson (@pmelson) Name Withheld #7
Bob Werby
Renae Roccasano
Ijsbrand Slob (@huppie_)
Name Withheld #1
Chad Sturgill (@csturgill)
Michael Yatsko
Jeff Bryner (@p0wnlabs)
Name Withheld #2 (@snooose)
John Poulin (@forced_request)

Next steps
Continue data collection and validation
Share analysis of findings by attribute, ranking quartile, and site type
Scoring system that accounts for:
Password strength
Unauthorized access prevention/detection
Password recovery
Authentication bypass
Attack detection/prevention
Password storage
Breach and vulnerability history
Public website to view, add, and update data (and more!)

Questions for you
Surprised by the results?
Is there other related data you think would be useful to collect?
Do you think it's possible to use this data to influence websites' decisions?

Questions for me
Besides “Why isn't your hair orange?”

The opinions shared represent
my views, your views, and everyone
else's views. And are subject to change.
Anything you take offense to was done
by someone else. Don't sue me.

Crunching the Top 10000 Websites' Password Policies and Controls [Presented by Steve Werby at richSEC 2013]

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (9)

Similar to Crunching the Top 10000 Websites' Password Policies and Controls [Presented by Steve Werby at richSEC 2013]

Similar to Crunching the Top 10000 Websites' Password Policies and Controls [Presented by Steve Werby at richSEC 2013] (20)

Recently uploaded

Recently uploaded (20)

Crunching the Top 10000 Websites' Password Policies and Controls [Presented by Steve Werby at richSEC 2013]

Editor's Notes