Countless web services require authentication mechanisms, e.g., e-banking, online-shops, forums, or messaging facilities. In many cases those authentication mechanisms are implemented using individual user name and password combinations. Whenever somebody implements a web service, security requirements have to be considered such as minimal password length, permitted characters, and expiration date.
Since computational power increases continuously, passwords that once seemed strong will become weak over time. We believe that many developers of such implementations are unaware of the provided security based on those minimal password requirements.
The quality aspect of passwords has been studied intensively [01], the same applies to the password use in the wild [02]. However, previous studies did not thoroughly inspect the password policies used in the wild, which originally lead to the insecure user passwords.
In this seminar project we want to explore how we can extract the password policies from existing authentication web pages, and assess them to gather a first glimpse into the severity of this problem.
Your task will consist of:
[01] Weir et al.: Testing metrics for password creation policies by attacking large sets of revealed passwords
CCS ’10 Proceedings of the 17th ACM conference on Computer and communications security
published in 2010
[02] Inglesant et al.: The true cost of unusable password policies: password use in the wild
CHI ’10 Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
published in 2010