Password Requirement Analysis of 100 Major Internet Sites

This paper is quite a bit old, but was mine and another Cadet’s Senior paper.  I feel like it was pretty adequate, but failed to take the next leap, which was actually come up with suggested standards depending upon information sensitivity.  Interesting enough with the addition of Risk Management Framework in the Department of Defense, Information sensitivity level is one of the key steps to identifying what precautions are necessary.  I still get a kick out of reading the data we gathered at the time, especially like American Express in 2008 required the password to be no more than 8 character, but no less than 6.  It needed one letter and one number, but no spaces or special characters.  It could not be your User ID and it was NOT case sensitive.


Many sites have different requirements for the complexity of the password required to login. There is no prescribed industry standard, just site specific recommendations for passwords. This causes specific sites to have inherently weaker passwords than their similar counter-parts. We have created a comparative analysis of one hundred major on-line websites in thirteen sectors that illustrate the disconnect between information sensitivity stored on the site and the minimum password strength used to protect it. Through this comparative analysis, we have created a web application allowing the user to input a password and be able to identify its strength and compare it to the password requirements in the analysis.

Link to Paper

Link to Data