Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:25 PM

Social Networks' Threat To Security

Weak passwords and insecure personal information could put your company's data at risk.

Not Their Business

Don't hold your breath waiting for social network operators to help. All the major sites--Facebook, MySpace, Twitter, LinkedIn--have the same minimum password length of six characters. And password complexity checks are few and far between. Facebook and LinkedIn have no complexity checks. For MySpace, some complexity checking is enabled; however, users can enter a password of "123456." Twitter has a basic complexity check based on a static word list that's viewable through the HTML source of the login page. You can't use "password1," but "1password" is OK.

Most social networks have implemented Captchas to prevent brute forcing of user accounts. However, there are some exceptions to that rule. Several social networks don't use Captchas for the mobile versions of their Web sites, most likely because they're a nuisance for mobile users.

On Facebook, after three failed login tries, the user is presented with a Captcha. Solve it and you get three more attempts. Facebook's mobile Web site has no Captcha protection; however, after 10 failed login attempts, the account is locked for a period of time, after which the user can try a single login again. This could be scripted to create a slow brute-force attack.

MySpace allows 10 failed login attempts, after which the user is presented with a Captcha. The MySpace mobile Web site uses an identical control. Twitter allows three failed login attempts and then presents a Captcha. Twitter's mobile site has no Captcha protection in place, so user accounts can be brute forced. LinkedIn users only get one failed login attempt before being presented with a Captcha. The LinkedIn mobile site has a Captcha presented at first login. Before you feel warm and fuzzy toward LinkedIn, however, remember it lacks in other areas, such as password complexity checks.

Bottom line, there is little consistency among social networks regarding common security controls.

20 Most Common Passwords
1: 123456
2: 12345
3: 123456789
4: password
5: iloveyou
6: princess
7: rockyou
8: 1234567
9: 12345678
10: abc123
11: Nicole
12: Daniel
13: babygirl
14: monkey
15: Jessica
16: lovely
17: Michael
18: Ashley
19: 654321
20: qwerty

You can help employees mitigate many of these risks by simply following basic password creation and management guidelines. Encourage them to choose complex passwords that contain letters, numbers, special characters, and are at least 12 characters. Longer is always better. Passwords shouldn't be able to be guessed simply by looking at the personal information on the user's social network profile.

Encourage the use of a unique password for every Web site and internal service. Push the use of passphrases over passwords. Passphrases are generally easier to remember and harder to brute force. For example, take a phrase like, "I have three favorite authors at the library." Either use the entire phrase or break it up to be: "[email protected]"

That brings us to our top recommendation: Encourage employees to use a password manager. There are some very good and easy-to-use systems available, many of them free. You need a complex password to open the application, which then auto-generates complex and unique passwords and stores them securely. Two popular password managers are KeePass (free) for Windows, Linux, and OS X, and 1Password (commercial) for Windows and OS X systems. Both can be used on mobile devices like the iPhone. It's important to make clear that you're not talking about the password managers in Web browsers.

Finally, ensure users regularly review the privacy settings on their social network profiles. Social networks in general initially set privacy settings to defaults that let anyone view information. Visit SocialMediaSecurity.com for guides and other information on how to properly configure these settings.

Tom Eston is a senior security consultant for SecureState, which provides attack and penetration testing services. Write to us at [email protected].

Continue to the sidebar:
Easy-To-Find Brute-Force Tools

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-27
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
PUBLISHED: 2020-05-27
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
PUBLISHED: 2020-05-27
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
PUBLISHED: 2020-05-27
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
PUBLISHED: 2020-05-27
IBM MobileFirst Platform Foundation stores highly sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 175207.