I've written about Facebook and their password policy back in january 2010, which got a good response from Matt Weir, whom I really respect and appreciate having discussions with. Looking over my older posts, i decided to have a new look to see if anything had changed, or if I missed something the first time. Obviously I've found something more to write about. :-)
Usernames are usually not safeguarded by end-users. They're not told to, so if you ask they will tell you. Hey, even helpdesk will ask for your username as an incredibly easy way of "verifying" you. Oh yes, I've written about this as well in one of my very first blog posts; "Guarding your usernames".
Some online services allows you to choose a random username, others will simply use your e-mail address as your username. I prefer the random choice, making things just a bit more tricky for the targeted attacker.
But lets stick to todays topic: Facebook and their password policy / recommendations. I did a few tests today (September 25, 2010):
|(forgive me for the Norwegian - my native language, I'll translate...)|
Background info: I'm using my work e-mail address as my username. It's easy: per.thorsheim - at - something - dot - com.
So the minimum "requirements/policy" (still a mix here...) are given on the primary screen (background):
- Do not use the password as you do on other online accounts
- Your new password must be at least 6 characters
- Use a combination of letters, digits and special characters
- Passwords are case-sensitive
- It must not contain your name
- It should not be a common word from a wordlist
- It should contain one or more digits
- It should contain UPPER and lower letters
- It should be at least 8 characters
- It must be different than your previous password
- I was denied using thorsheim as my new password. Good, since it is only letters, only lowercase, and my last name. A very rare last name, but I guess that doesn't matter here. :-) Mix-case variants of the same were also denied. Even better!
- per.thorsheim was denied. Good!
- Thorsheim10 was accepted. Oops. Oh well; you can create endless passwords containing your name, but most of those who do use first or last names are really not that creative. (believe me!)
- perperper was accepted. All lower-case. No digits. No special characters. Containing my first name. Well, there are - there must be minimum length limitations on which characterer combinations to exclude from a "do not use your name" policy. I guess I'm track of it here. :-)
- firstname.lastname-at-something.com got accepted. Oh COME ON Facebook! You have got to be kidding me! FACEBOOK just allowed me to use my username as my password. Oldest trick in the history of stupid passwords I guess!
As far as I can remember, the compromised Rockyou password list also contained what seemed as complete e-mail addresses. Now I for sure won't test those or find their origins, but I'm tempted to believe those were proof of people using their logon usernames as their passwords. Not too many, one too much in any way.
So a request - or a recommendation - for Facebook: do a simple change in your technical password policy implementation. Disallow using the full logon username as your password, since that's the second easiest guess after blank passwords, which hopefully doesn't exist anywhere on Facebook.