Monday, January 04, 2010

Facebook - Policy inconsistency

Pointing fingers at Yammer in a previous blog post, it's time to take a look at Facebook and their password policy.

I'm on Facebook. I've got more colleagues there as "friends" than i have family and friends from my personal life. Yes, i do draw a very clear line between colleague and friend. Colleague =! friend, period.

Not long ago somebody found out that Twitter had a list of 370 passwords that they had banned from being used by their users. The list was easily available, you could see it in the page source code at their website. Does Facebook have any similar lists of forbidden words, phrases or common passwords? Have they implemented technical rules to enforce the written policy? Lets have a look at the Facebook settings for my own account: (slightly mangled username/password clues and in Norwegian, for obvious reasons)

The Facebook password policy says (comments by me in italic):

1. When you change your password you will be logged off on all other computers
A password policy should be regarded as requirements. This is a piece of information, and does not belong in a policy.

2. Do not use the same password as you are using on other internet services
Good advice, impossible for anyone (including Facebook) to control, limit or audit in any way. I would remove it from the policy, and write another section with good advice as well. Oh, and rather few seems to follow this advice anyway.

3. Your new password must be at least 6 characters in length
Google or Bing: the current best practice recommendation these days is minimum 8 characters. It seems as the vendors and security community recommends minimum 8, while the service providers like Twitter, Yammer, Facebook and others are lagging behind, with 5 or 6 character length requirements. Why?

4. Use a combination of letters, numbers and characters 
I presume special characters for the last part, but interesting enough they list 3 character groups instead of the four we've got (upper, lower, numbers and special characters). And then, as a separate bullet, comes a piece of information that really belongs in a policy:

5.  The system differentiates between upper and lower letters. Remember to check your CAPS LOCK key.

So there you have it, the Facebook password policy. Are they requirements, or just a piece of good advice? Have Facebook really implemented these requirements technically?

I've got a unique password on my Facebook account which is far and above these requirements. I logged in, and wanted to test my curiosity. In the above picture i'm trying to change my password into abcdef, and i got the following result:

"You cannot use a common wordlist word as your password. Use a more secure password". Uhm, ok. What about 123456? No, same answer. Well, lets try the ultra-top-secret non-wordlist-existing password fedcba then, and lets see what happens:

Your password has been changed. Darn.

Seriously Facebook; there really should be consistency between your written and your technical implementation of a password policy. The way it is now, there is very little consistency between what you say and what you do. I don't know who does your audits, but i really hope they read my blog and calls you for a quick chat on your inconsistencies.

.... and i will change my password - again. Did i mention that Facebook does not seem to enforce periodic password changes, neither do they maintain any password history so that you (or somebody else) can change your password back to the previous one? Not good.

1 comment:

  1. Hey, I first want to start out by saying that I've been keeping up with your blog and I really like what you are doing. Keep up the good work!

    I kind-of want to cut Facebook some slack with their password policy though. First off, I view most website password policies instead as user guides. I know, the hijacking of the word 'policy' is really annoying since as you correctly point out, policies should be something enforceable. Unfortunately, I don't think that is going to chance since the incorrect usage of the word policy has entered the popular vernacular. So what I'm trying to say is I agree with your objections, but I understand why Facebook doesn't make the distinction between policies and recommendations.

    In regards to their very basic password creation rules, I'm fairly certain Facebook is only interested in stopping online, (where the attacker does not possess the password hash), attacks. The business case just doesn't exist for them to do more than the bare minimum to stop offline attacks. Aka, I would be (pleasantly) surprised if they hash their passwords with more than one round of MD5 or SHA1/2, (though I hope they do use a salt). By focusing only on online attacks, the threat model generally limits a typical attacker to about 20 guesses, (give or take), before they have to start answering captchas every other guess. I haven't looked into how Facebook handles distributed guessing attacks, (the problems with being a white-hat), but in most cases Facebook probably doesn't expect for a normal attacker to make more than a thousand guesses or so. Therefor their actual password creation policies are focused on minimizing that specific threat while not annoying customers. I need to get around to posting some actual results online, but against an limited attack, the minimum password length requirement doesn't seem to make much of a difference since the attacker will probably rely upon a dictionary attack. Aka, there's not much difference when making a guess with a 6 letter dictionary word vs. an 8 letter dictionary word. A possible counterpoint might be though that given a longer minimum required password people may be more likely to use digits/special characters. In that case an 8 character minimum requirement might actually help quite a bit. If you have seen evidence of this I'd be very interested in finding out about that. A counter-counter point might then be maybe the defender should instead use a character-class requirement, (aka must contain a number/special character), instead of upping the minimum password length. All I know is I certainly don't have the answers yet ;)

    As to your password example, "fedcba", I'm not surprised it wasn't in Facebook's blacklist. Going over the rockyou list, "fedcba" showed up just 15 times. to put that in perspective, 138 people used the password "zebra", and over 29 thousand people choose the password "123456".

    Please take everything I say with a grain of salt, since as I said before, I'm still trying to figure out what constitutes a good policy myself. I look forward to continuing this conversation and reading more post on this subject in the future.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.