Monday, September 27, 2010

Playing passwords with Facebook

I've written about Facebook and their password policy back in january 2010, which got a good response from Matt Weir, whom I really respect and appreciate having discussions with. Looking over my older posts, i decided to have a new look to see if anything had changed, or if I missed something the first time. Obviously I've found something more to write about. :-)

Usernames are usually not safeguarded by end-users. They're not told to, so if you ask they will tell you. Hey, even helpdesk will ask for your username as an incredibly easy way of "verifying" you. Oh yes, I've written about this as well in one of my very first blog posts; "Guarding your usernames".

Some online services allows you to choose a random username, others will simply use your e-mail address as your username. I prefer the random choice, making things just a bit more tricky for the targeted attacker.

But lets stick to todays topic: Facebook and their password policy / recommendations. I did a few tests today (September 25, 2010):

(forgive me for the Norwegian - my native language, I'll translate...)
Background info: I'm using my work e-mail address as my username. It's easy: per.thorsheim - at - something - dot - com.
So the minimum "requirements/policy" (still a mix here...) are given on the primary screen (background):
  • Do not use the password as you do on other online accounts
  • Your new password must be at least 6 characters
  • Use a combination of letters, digits and special characters
  • Passwords are case-sensitive
Additionally you may click the question mark on the right of the "New password" entry field, giving you some additional advice:
  • It must not contain your name
  • It should not be a common word from a wordlist
  •  It should contain one or more digits
  • It should contain UPPER and lower letters
  • It  should be at least 8 characters
  • It must be different than your previous password
So there's still a nice mix of  "requirements" and "recommendations", as you can see. How well are they actually implemented? Oh, and they even have a password meter implemented as well. Hmm...... Do you trust those?
  1. I was denied using thorsheim as my new password. Good, since it is only letters, only lowercase, and my last name. A very rare last name, but I guess that doesn't matter here. :-) Mix-case variants of the same were also denied. Even better!
  2. per.thorsheim was denied. Good!
  3. Thorsheim10 was accepted. Oops. Oh well; you can create endless passwords containing your name, but most of those who do use first or last names are really not that creative. (believe me!)
  4. perperper was accepted. All lower-case. No digits. No special characters. Containing my first name. Well, there are - there must be minimum length limitations on which characterer combinations to exclude from a "do not use your name" policy. I guess I'm track of it here. :-)
  5. got accepted. Oh COME ON Facebook! You have got to be kidding me! FACEBOOK just allowed me to use my username as my password. Oldest trick in the history of stupid passwords I guess!
I had to stop there. I was tempted to try out the password meter function a little, comparing it to results from my earlier blog post. I had also planned to test a few other variants as well, to figure out your technical implementation limits. But allowing your users to use their usernames as their passwords? Seriously?

As far as I can remember, the compromised Rockyou password list also contained what seemed as complete e-mail addresses. Now I for sure won't test those or find their origins, but I'm tempted to believe those were proof of people using their logon usernames as their passwords. Not too many, one too much in any way.

So a request - or a recommendation - for Facebook: do a simple change in your technical password policy implementation. Disallow using the full logon username as your password, since that's the second easiest guess after blank passwords, which hopefully doesn't exist anywhere on Facebook.

1 comment:

  1. Should come as no surprise when looking at the history of Facebook... One comment on a related subject, if you enter a valid username and a wrong password, facebook will "validate" that the username is in fact correct by displaying your real name! They removed the profile picture from the same page after some publicity, but they are still leaking information.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.