Recently some colleagues signed up for using Yammer (yammer.com).
Perhaps a little paranoid i decided to register myself, in order to have a look at the security they provide. After all i'm supposed to do some sort of monitoring, control and provide reasonable advice on security issues affecting me, colleagues, friends, customers as well as providers of various services.
What is Yammer?
Yammer describes their service as "enterprise microblogging". Think of it as a combination of Facebook and Twitter (if you've tried those services). The ability to "microblog", create groups of users and topics for discussion etc, is really a good idea for releasing creativity and aid co-workers in finding each other, and collaborate together.
Free to use as many other similar services, but if you want additional features, including security (and some control of it), you have to pay. Really not bad for a business concept; try it for free, if you like it you can use the basics for free or pay up a monthly fee per user to get the whole range of features.
Your e-mail address is your username, and if this is to be used for work purposes you really need to use your work e-mail. From my perspective it means that if somebody tells me they're using yammer, you instantly know their logon id. What you need to figure out now is their password to gain unauthorized access.
So Yammer, how's your default password policy? Here's a screenshot:
Uh... Yeah, and? That's it? Nothing else?
Well, the length requirement is correct, I'll give them that. However (for the free version);
1. There are no complexity requirements
abcde or 12345 works perfectly as your password
2. There's no password history
You can use the same password over and over - if you decide to change it in the first place.
3. There doesn't seem to be any account lockout
I tried 10-15 incorrect passwords, the account still worked after that with the correct password.
Of course, this applies to the free version of Yammer. If you choose to pay either USD 3,- or 5,- (silver/gold) per user per month, you can probably change some or all of these parameters yourself (i haven't paid, so i haven't seen any documentation for it...)
In my opinion a serious breach of good practice recommendations for password policies, where 8 characters is the typical minimum length along with complexity requirements (upper/lowercase + numbers or special characters), as well as some sort of history and frequency of required password change. (do they ever delete any accounts due to inactivity?). Anyway, you get what you pay for, so no violations here from a legal perspective. Be aware of this one though:
The screenshot is taken from the page describing their silver and gold features. Essentially Yammer claims ownership to anything and everything you post on their service (...), until you pay their monthly fees. THEN you are considered the owner of the data posted by your users on Yammer.
Getting serious with YAMMER
So you've tried Yammer for some time, and you decide to use it with all the bells and whistles in the paid subscription options. Of course you want to take of security as well, setting your own password policy among other parameters. Well; I've documented numerous times that changing your written and your implemented policy doesn't automatically fix all the non-compliant passwords overnight.
What you essentially will have to do is to force a password change overnight for all users in order to become compliant with your policy. Well, people are on leave for many reasons, you have inactive users etc (which you must pay for anyway), so the initial password problem will stay with you for a LOOONG time after signing up for the paid service. All that because Yammer in the first place didn't have anything near a decent good practice password policy implementation for your users in the free version. Well worth YAMMERING about i would say.
So dear YAMMER, here's some advice for free:
1. Inform all existing and new users about the current policy
...and the risks associated with it
2. Implement a common "best practice" password policy
Applies to both the free version as well as your silver/gold subscriptions
3. Enforce a change of all (non-compliant) passwords
To ensure the security of all users and accounts. Tip; reserving the right to do password audits for internal security monitoring may be an idea - protect your customers!
Yes, i do know that number 3 here is kind of radical and may cause quite a bit of yammering, but that's the cost of starting out with bad security and then try to fix it afterwards. (Been there, done that).
... And now i'll change my abcde password into something which should be good enough. :-)
End note: initially when i signed up for Yammer just a few months ago, their password length requirement was 1 (one) single character. After i put out a Tweet (on Twitter...) complaining about this serious lack of security they responded very quickly, and they changed their minimum/default policy into 5 characters length approx 2 weeks later. Will they respond to this blog posting as well?