Wednesday, January 20, 2010

Socialcast password security

I'm happy to see that people seems to be interested in the issues I'm blogging about, i really appreciate that.  So here the other day i saw that someone working for Socialcast  started to follow me on Twitter, which reminded me that i have signed up for a free account there as well, in order to have a look at their password policy.

First of all, Socialcast seems to be close to a replica of Yammer (Sorry people!), at least during my first few minutes looking at their official information and logging in to their free service. As usual I've run through my usual little tests on password security, so I'll be quick on this one.

Aha. Their minimum length requirement is 4 characters. Additionally i managed to set abcd, 1234 and password as my password - before returning to my original password. To summarize:

- Very weak minimum length
- No complexity requirements whatsoever
- No "forbidden words" wordlists appears to be present

Oops! That's worse than Facebook and Twitter, as well as most others I've seen during the last 12-13 years, working full-time with security. To be honest, i can not find any documentation on your website documenting which options I'll get if i "claim administrative rights" (=purchase the solution).

Your public security page claims:
"Company data is stored securely with 128-bit secure socket layer data encryption, time-stamped data record management, frequent backups, and complete detailed transaction audit trails."

I presume you say that the transmission of data over the Internet is secured securely with 128-bit SSL, but i'm a little unsure how you store the data using SSL (SSL is the predecessor to TLS, which is the common standard now. Both SSL and TLS are communication protocols). Would you care to explain?

I would really advice Socialcast to improve their documentation as well as the baseline security of their product. In my perception you will increase your competitive level if you can document best practice security in your free as well as your paid solution.

1 comment:

  1. The latest news is that their password policy now allows single character passwords.

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.