Monday, January 18, 2010

Yammering - a reply to @henriksen

This is a reply to @henriksen, as he asked me whether i had tested the paid version of Yammer, based on my blogpost "YAMMERing about security" earlier. No, i have not tested the paid version.

However I did receive a comment within minutes after posting it from Jimp79 (jimpatterson), with this picture:
Share photos on twitter with Twitpic

The picture apparently shows the password policy in the paid version of Yammer. Although you can not see the various options available, the picture does show a policy which is... reasonable. However, simple or customized controls such as these does not seem to be available (Yammer; feel free to tell me i'm wrong here!):

- the password must not be the same as the username, or
- the password may not be/start/contain any of the following words

I have seen very few organizations where there are no occurrences of password=username, and the organizations name is a sure winner for password guessing as well, hence the wordlist control. My overall impression of Yammers password policy is that it's not good enough, given the best practice recommendations available from several well known sources. This particularly applies to the free version of Yammer. For all those who choose to only use the free version, Yammer doesn't provide anything close to what i would consider a "secure enough" solution.

If i'm to buy a new car, but i want to test drive it first, i really don't want the seller to remove the brakes, airbags and safety belts before i take it out for a test drive, period. Showing me a single photograph of what they look like before i make the purchase really won't improve the situation.

To summarize...
You want to test Yammer, you test the free version. Based on your organizations size, that may include hundreds or thousands of users. Then you decide to go for the full (paid) version. Not only would you then have to implement a password policy that most probably will NOT be equal to what you've got internally, but you will also need to enforce a password change ASAP for all your users to obtain the necessary password security. Believe me, your users will not appreciate that.

Until everyone has changed their password (how can you know? any reports available Yammer?), you have a risk which you cant really measure or control properly.

It's easy Yammer: provide proper security from the beginning. Let features be the reason to purchase the full product, not the lack of security.

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.