I'm happy to see that people seems to be interested in the issues I'm blogging about, i really appreciate that. So here the other day i saw that someone working for Socialcast started to follow me on Twitter, which reminded me that i have signed up for a free account there as well, in order to have a look at their password policy.
First of all, Socialcast seems to be close to a replica of Yammer (Sorry people!), at least during my first few minutes looking at their official information and logging in to their free service. As usual I've run through my usual little tests on password security, so I'll be quick on this one.
- Very weak minimum length
- No complexity requirements whatsoever
- No "forbidden words" wordlists appears to be present
Oops! That's worse than Facebook and Twitter, as well as most others I've seen during the last 12-13 years, working full-time with security. To be honest, i can not find any documentation on your website documenting which options I'll get if i "claim administrative rights" (=purchase the solution).
Your public security page claims:
"Company data is stored securely with 128-bit secure socket layer data encryption, time-stamped data record management, frequent backups, and complete detailed transaction audit trails."
I presume you say that the transmission of data over the Internet is secured securely with 128-bit SSL, but i'm a little unsure how you store the data using SSL (SSL is the predecessor to TLS, which is the common standard now. Both SSL and TLS are communication protocols). Would you care to explain?
I would really advice Socialcast to improve their documentation as well as the baseline security of their product. In my perception you will increase your competitive level if you can document best practice security in your free as well as your paid solution.