Shepherd - an automatic and large-scale study of website login security

Activity: Talk or presentation typesTalk or presentation (not at a conference)Academic


Logging in on websites is common. However, it wasn't always secure - as FireSheep showed dramatically in 2010. A malicious agent could simply eavesdrop on WiFi traffic and steal credentials of logged-in users. In response to FireSheep, major websites fixed their login security. However, it remains unclear whether others followed suit.Investigating this scientifically is fraught with challenges: acquiring passwords, automating logins on unknown websites, etc.

In this talk, we present Shepherd, the result of a 2 year engineering effort to automate website logins. Moreover, we will present and discuss the results of a security scan with Shepherd, which showed that out of 7,113 sites where login was successful, 2,417 (34%) is still vulnerable to some variant on the FireSheep attack.
Period18 Nov 2019
Held atUniversità Ca' Foscari Venezia, Italy
Degree of RecognitionLocal


  • Shepherd
  • login security