Automated Detection of Password Strength Meters at Scale

In this work, we developed an automated framework that detects Password Strength Meters specifically on the top 5000 domains from the Tranco list. The tool navigates to the signup pages of these domains, detects password fields, and then detects the presence of Password Strength Meters once a password field is detected, using multiple criteria in its functionality, including textual and visual indicators that help to cover a wide scope of possible implementation of PSMs. This research was a joint collaboration between myself and my colleague Prakhar Gupta. We collaborated from the start of the project, determining the navigation mechanism, the tools to be used, and the strategies to detect the signup password fields. It was at this juncture that we diverged on strategies, and while I focused on the detection of Password Strength Meters (PSMs) by observing and detecting changes in textual and visual indicators around the password field detected, he focused on capturing and analyzing all the feedback from Password Strength Meters and Password Validation Widgets. Our framework leveraged the Python playwright library for browser automation and other related libraries and functionality for an effective automated detection of Password Strength Meters implemented by web domains. Previous work done extensively on Password Strength Meters was limited in scale and was executed manually. The chosen dataset (5000 domains) is a huge upgrade on the 250 domains that Van Acker et al. \cite{VanAcker2015} conducted manually. The tool we used was found to have detected 91 PSMs with an accuracy of 39.5\%. These automatically detected PSMs are on all domains successfully navigated with a password field. Finally, this project contributes to password security by automatically detecting PSMs on a large scale. Furthermore, by showcasing the feasibility of automated large-scale PSM detection and related security assessments, this work paves the way for future research on web authentication mechanisms, password policy enforcement, and browser-based security audits. The insights derived from this study could inform best practices for web developers, cybersecurity professionals, academics, and policy makers working toward a more secure web and information domain.