tag:blogger.com,1999:blog-8400370148915075091.post4014510386895904055..comments2023-12-12T18:59:45.550+01:00Comments on Security Nirvana: YAMMERing about securitysecuritynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-8400370148915075091.post-87754261969754685752010-03-12T09:18:26.100+01:002010-03-12T09:18:26.100+01:00Also, to address your other concern about password...Also, to address your other concern about password lockout. Password lockout is not a good solution for Yammer for a couple of reasons. First, since Yammer is an Internet facing service, it would be very easy for an external attacker to perform a denial of service attack against a company’s Yammer network, by locking out all their employees. All they would need is a list of email addresses. Second, under the free version of Yammer there is no administrator to unlock accounts, so you’d need to have the account automatically re-enabled after some period of time, which is not really account lockout, but login attempt throttling.<br /><br />Yammer does use a login attempt throttling mechanismsfor all accounts, both free and paid, to mitigate against password brute-force attacks. We actually use an exponential backoff algorithm, that increases the lockout period exponentially the more bad passwords attempts are made, so a brute force attack of even a few thousand passwords wouldn’t be possible in any reasonable amount of time.<br /><br />So given this fact, I fail to see why an 8 character password minimum is much better than a 5 character password minimum. 5 characters gives over 2.3 trillion possible password combinations. Unnecessarily requiring longer and more complex passwords can in some cases reduce security, since it forces users to write down their passwords or reuse the same password across multiple services in order to remember it.Unknownhttps://www.blogger.com/profile/05589151959000692620noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-89999852525197991002009-12-14T00:11:51.683+01:002009-12-14T00:11:51.683+01:00Once a company claims their network they are able ...Once a company claims their network they are able to set significantly more secure password policies, which include a larger minimum password length with complexity requirements, a password history, as well as requiring users to change their password periodically.<br /><br />Here is a screenshot of the password settings for claimed networks.<br />http://twitpic.com/tewdpUnknownhttps://www.blogger.com/profile/05589151959000692620noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-18738690591985667052009-12-14T00:05:59.945+01:002009-12-14T00:05:59.945+01:00One clarification that should be made is that even...One clarification that should be made is that even for the Basic/Free account Yammer does not make any claims on data ownership. It is either owned by the individual employees (at the free level) or the company (at the paid level).<br /><br />It states in the Yammer privacy policy: "Companies who claim their network own the User Content created by their employees. Until that point, Users own their own User Content. Yammer does not own User Content."<br /><br />https://www.yammer.com/company/privacyUnknownhttps://www.blogger.com/profile/05589151959000692620noreply@blogger.com