A study of Password Composition Policies in KSA and USA in 2020

Abstract

This project shows a reproduction and expansion of the study created by Florencio and Herley in 2010 and the study of Mayer et al. 2016 both are published at SOUPS 2010/2016. Those studies examined a sample of USA websites, investigating various website features' impact on the password composition policy (PCP) strength. By employing a similar approach as in the previous studies, this project re-examined 86 websites in the USA in 2020 to classify changes among five years since 2016. And have a first look on 90 KSA websites in 2020 to classify changes among countries. The websites are partitioned to several categories: web traffic rank and types of websites. Password composition policy strength is used here as the metric to score the strength of the PCPs used on the chosen websites based on Entropy measurement. The finding of this project shows that USA 2020 has the strongest minimum average of PCP strength than KSA 2020 in general, but KSA has a higher average of PCP strength in some websites such as government and bank. Moreover, the features that reduced the PCP strength on USA and KSA in 2020 are advertising accepted, a user has the choice and alternative login ways while CAPTCHA, which has been added as a new feature examined by this project, decreasing the PCP strength sharply on the USA sample and did not affect the PCP strength on KSA sample. Then on the margins of this project is to compare and investigate the findings by this project and all the previous studies that have been done in the PCPs strength area (i.e. USA 2010/2016, Germany 2016, UK 2019, China 2018) to classify which countries have the strongest PCPs strength and which feature has an impact on their PCP strength in general. Thus, the finding indicates that the USA in 2016/2020 and UK 2019 performed well and have the strongest PCP strength than the other countries. And KSA 2020 came as the second stronger PCP strength and USA 2010 has the third level in PCP strength while Germany has level four, and the weakest PCP strength went to China 2018. So, USA 2016/2020 and UK 2019 used strict PCPs, whereas china 2018 used weaker PCPs on their websites. Furthermore, the feature of the user has the choice has a greater impact on all the PCPs strength in all countries than the other features, which reduced the PCP strength on all website's samples. An interesting finding is that all features did not affect the China 2018 sample, and there is no evidence of any negative impact on China PCPs strength.