A detailed analysis of password policies and authentication controls for widely-used websites hadn’t been conducted and seemed to be a daunting effort. To address this I supplemented automated and semi-automated data collection with the utilization of low-cost marketplaces like Amazon Mechanical Turk and unpaid volunteers. I will cover my methodology, analysis of the collected data, challenges, lessons learned, and future plans.
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Crunching the Top 10000 Websites' Password Policies and Controls [Presented by Steve Werby at richSEC 2013]
1. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Crunching the Top 10,000 Websites'
Password Policies and Controls
Steve Werby
Security Researcher
2. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Security...
architect => day
researcher => night
Infosec since 1999
Former (CISO)3
BS Industrial Engineering, MBA, certs
Presented at Hack3rCon, SecTor, DerbyCon, ShmooCon,
ConSec, SOURCE Conference, LASCON, BSidesDFW, VA SCAN, EDUCAUSE,
InfraGard, OWASP, ISSA, AITP, IEEE, …
3. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
4. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Have a question? Ask!
Have a comment? Share!
I’ll ask some questions too.
5. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
6. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Has an in-depth analysis of password policies
and security controls for a large number of popular
sites been performed?
7. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Are sites doing a good job at protecting user
accounts?
How much control do security-conscious users
have?
8. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
What sites to inspect?
What attributes to collect?
How to gather the data?
9. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Use what you know
Alexa collects and shares information about websites (owned by Amazon)
Data gathered via browser toolbar installed on millions of computers
Ranking based on 3 months average of daily unique visitors + page views
alexa.com
Look up individual sites to find global and US ranking
Top 500 global sites (http://www.alexa.com/topsites)
Top 500 sites by country (http://www.alexa.com/topsites/countries)
Top 1,000,000 global sites (http://s3.amazonaws.com/alexa-static/top-1m.csv.zip)
11. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Getting the Alexa Top 10,000 for the US
Alexa Top Sites (http://aws.amazon.com/alexatopsites/)
Requires Amazon Web Services (AWS) account, sign up for Alexa Top Sites
API that costs $0.0025 per URL returned ($2.50 for 1,000 URLs)
Requires access key and secret key generated via AWS
Getting the data
Read API reference
Grab sample code (Java, Perl, PHP, Ruby)
Pick PHP for spite; modify to meet my needs
Wrap in Bash script
for ((i=0;i<100;i++)); do START=$(echo "$i*100 +1" | bc); RECORDS=100;
php ./amazon_alexa.phpc <access_key> <secret_key> US $RECORDS $START
| tail -$RECORDS >> alexa_us.txt; done
13. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Minimum and maximum password length
Password composition requirements
Use of SSL + cookie settings to protect against session hijacking
Anti-CSRF controls
HTTP headers to protect against XSS
Ability to bypass account creation and leverage OAuth providers or OpenID
Password strength meter or strength indicator
2-factor authentication or 2-step authentication
Active logins and login history
CAPTCHA usage on login
Brute force login detection/prevention
Randomness and strength of session IDs
Security question options
Forgotten password options
Education on how and why to create strong password
Server password storage format and hashing details
What attributes to collect?
14. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
15. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Inspecting sites without a firm plan
Started with 20 attributes
Inspected sites, collected data, made notes, added/deleted/modified attributes:
maximum password length => maximum password length accepted on creation
maximum password length displayed
when maximum password length is displayed
maximum password length accepted on change
maximum password length accepted on login
password emailed after account creation
Noticed patterns:
Non-English sites, no user accounts, user accounts but no way to register, costs $
Sites with no internal accounts, only third-party OAuth authorization
16. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Finding meaning in the chaos
Min length, user education
2FA, last login details
Security questions
SSL, cookie session ID attributes
CAPTCHA, brute force lockout
Password sent in plain text
Previous leaks, response to vulns
Password strength
Unauthorized access prevention/detection
Password recovery (authentication bypass)
Authentication bypass
Attack detection/prevention
Password storage
Breach and vulnerability history
17. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Inspecting sites without a firm plan (continued)
Determined efficient workflow for data collection
Estimated effort for data collection
Determine whether site has in-scope account creation = 20 seconds
Manual collection of AYCE attributes = 2-8 minutes (average of 4)
Manual collection of diet attributes = 1-4 minutes (average of 2)
70% of sites in-scope
10,000 * (1-0.7) * (20/60) = 1,000 minutes = 17 hours
10,000 * (0.7) * 2 = 14,000 minutes = 234 hours
251 hours total = 126 days @ 2 hours per day
Above ignores semi-automated data collection (brute force attacking, etc.)
18. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
19. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
A better way?
Ask the sites for the data
Blackmail people and force them to collect data
Hire a part-time worker
Partners
Crowdsourcing - paid and unpaid
20. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Preparing the data
Broke data up into 6 blocks
1-100, 101-250, 251-500, 501-1000, 1001-5000, 5001-10000
Established 3 tiers of attribute breadth and granularity
Tier 1: 1001-5000, 5001-10000 => 18 attributes
Tier 2: 101-250, 251-500, 501-1000 => 22 attributes
Tier 3: 1-100 => 65 attributes
Randomized sites within blocks
cat $INPUT_FILE | awk 'BEGIN{srand();}{print rand()"t"$0}'
| sort -k1 -n | cut -f2- > $OUTPUT_FILE
21. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Crowdsourcing - unpaid
Solicited contributors
Great response rate
Twitter (11), Facebook (3), LinkedIn (0), Google+ (didn't bother), family (1)
Divided (and conquered?)
Divided blocks up into chunks of 20 sites
Assigned 1 control site, 19 unique per spreadsheet
Emailed 1 to n spreadsheets to each volunteer
22. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Crowdsourcing - unpaid
23. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Crowdsourcing - unpaid
24. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Crowdsourcing - unpaid
25. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Crowdsourcing - unpaid
26. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Validating accuracy of the results
Crowdsourcing (unpaid)
Compared control site data for multiple contributors
Random sampling and comparison to internal data collection
92% of results matched
27. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
28. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
29. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Crowdsourcing - paid
More Amazon – this time, Amazon Mechanical Turk
Launched November 2005
Requesters post HITs (Human Intelligence Tasks) with a set compensation
Providers (aka Turkers) search for HITs, select them, complete them
Requesters can accept or reject completed HITs
Typical HITs are very simplistic
30. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
31. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
32. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
33. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Validating accuracy of the results
Crowdsourcing (paid)
Random sampling and comparison to internal data collection
Created 3 HITs for each site; only paid if 2 matched
Random sampling and comparison to internal data collection
84% of results matched (vs. 92% for unpaid)
34. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
What was collected
Processed
Tier 3: 1-100 (100% of sites)
Tier 2: 101-250 (91%), 251-500 (73%), 501-1000 (53%)
Tier 1: 1001-5000 (18%), 5001-10000 (7%)
Account registration was performed on 59% of sites analyzed
Reasons it wasn't:
Other => 26%
Not a site with user accounts => 25%
No way to register found => 21%
Cost money or required credit card => 15%
Adult content => 6%
Site not in English => 4%
Can only sign in using a 3rd
party site => 2%
Site wouldn't load => 2%
35. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Possible to sign in without creating an account, by signing in with another identity
provider?
Yes => 40%
No => 60%
36. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Minimum password length?
1 => 11%
2 => 1%
3 => 2%
4 => 8%
5 => 12%
6 => 46%
7 => 4%
8 => 16%
9+ => 0%
37. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Maximum password length?
1-3 => 0% 17-19 => 2%
4 => 1% 20 => 15%
5-9 => ~0% 21-24 => 1%
10 => 3% 25+ => 54%
11 => 1%
12 => 6%
13 => ~0%
14 => ~0%
15 => 10%
16 => 7%
Seemingly limitless
Quit at 8,192 chars no limit detected (tried 40 numbers-no problem)
500+ (no limit)
it accepted 26 characters
30+
38. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
When is the minimum password length displayed?
Only if password is unacceptable => 48%
Before entering password => 30%
Never => 17%
Other => 3%
If click link/icon for more info => 2%
When is the maximum password length displayed?
Never => 63%
Before entering password => 18%
Only if password is unacceptable => 17%
Other => 2%
39. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Password composition requirement?
Yes => 25%
No => 75%
40. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Does the login destination page use SSL?
Yes => 53%
No => 36%
Unknown => 11%
41. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Is the password automatically emailed after account creation?
Yes => 2%
No => 98%
42. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Does the site discourage users from using same password used elsewhere?
Yes => 4%
No => 96%
43. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Does the site educate users on how to create a strong password?
Yes => 8%
No => 92%
44. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Is there a password strength meter or indicator?
Yes => 17%
No => 83%
45. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Is it possible to have an email sent as part of forgotten password process?
Yes, code or URL sent => 76%
Yes, new password sent => 7%
Yes, current password sent => 4%
No => 14%
Are security questions even necessary or appropriate?
46. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Findings
Is 2FA or 2-step authentication an option?
Yes => 5%
No => 95%
47. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
48. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Are sites doing a good job at protecting user
accounts?
How much control do security-conscious users
have?
49. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Learning the hard way
50. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Learning the hard way
Some data is difficult to gather (min and max password length for example)
There's a better iterative way to gather and validate the data
Keep it simple if you want Turkers to be interested and for them to perform well
Test, test, test...and get input from technical and non-technical peers
51. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Contributors
Tanya Buresh-Werby (@tbwerby) Name Withheld (@Trojan7Sec)
Adam Sealey (@adamsealey Name Withheld #3
Raymond Umerley (@rayumerley) Name Withheld #4
Greg Pendergast (@greg_pendergast) Name Withheld #5
Jess Rutherford (@jofo) Name Withheld #6
Paul Melson (@pmelson) Name Withheld #7
Bob Werby
Renae Roccasano
Ijsbrand Slob (@huppie_)
Name Withheld #1
Chad Sturgill (@csturgill)
Michael Yatsko
Jeff Bryner (@p0wnlabs)
Name Withheld #2 (@snooose)
John Poulin (@forced_request)
52. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Next steps
Continue data collection and validation
Share analysis of findings by attribute, ranking quartile, and site type
Scoring system that accounts for:
Password strength
Unauthorized access prevention/detection
Password recovery
Authentication bypass
Attack detection/prevention
Password storage
Breach and vulnerability history
Public website to view, add, and update data (and more!)
53. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Questions for you
Surprised by the results?
Is there other related data you think would be useful to collect?
Do you think it's possible to use this data to influence websites' decisions?
54. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
Questions for me
Besides “Why isn't your hair orange?”
55. Steve Werby (@stevewerby) | richSEC: Crunching the Top 10,000 Websites' Password Policies and Controls | August 22, 2013
The opinions shared represent
my views, your views, and everyone
else's views. And are subject to change.
Anything you take offense to was done
by someone else. Don't sue me.
Editor's Notes
[REFERENCE] McKayla Maroney is not impressed.
[MENTION]
I’ve been cracking passwords professionally for around 13 years.
Around the time I started, used John the Ripper church/jesus (now might have Tebow in it)
Failures in technology, process and human – phishing guy Monday and Wednesday