A database breach last year at RockYou, which creates apps and games for social networking sites, illustrates just how weak passwords can be. Attackers used a SQL injection vulnerability to steal 32 million passwords that were stored in clear text and then posted them to the Internet. This large data set gave us unprecedented insight into the passwords that users select and allowed security researchers to calculate the most common ones (see box on next page).
Attackers often simply try the top 20 passwords when attempting to break into a social network account. Yes, it's a simple dictionary brute-force attack, but if you have a large user base, it's likely at least one of your employees' accounts could be hacked using this method.
Attacker Modus Operandi
Attackers have a variety of ways to guess passwords, including:
>> Brute force based on publicly disclosed information. Beyond the RockYou top 20, people often use names of family members, birthdays, and other personal but easily accessible information in their passwords. Attackers may take what they know about a potential victim and feed it into a program that generates a range of possible passwords.
>> Guessing answers to password-reset questions. Social network users sometimes reveal information that could be used to reset their passwords on the social network itself, Web mail services such as Yahoo Mail, and even on online banking or software-as-a-service sites. For example, some Facebook users include "25 Random Things About You" notes in their profiles. These notes contain information--like mother's maiden name, place of birth, color of a first car--that attackers can use to reset a victim's password and get control of that person's e-mail account.
>> Create a word list to narrow down keywords mentioned in the profile. Several tools can collect keywords from a Web page and put them into a word list (see Easy-To-Find Brute-Force Tools). Once an attacker has this list, he can attempt to brute force the user's password. This attack's effectiveness is largely dependent on how accurate a word list is and whether the social network employs any brute-force prevention mechanisms, such as Captchas, those challenge-response tests used on Web forms to ensure the respondent is a person, not a computer.Not Their Business
Don't hold your breath waiting for social network operators to help. All the major sites--Facebook, MySpace, Twitter, LinkedIn--have the same minimum password length of six characters. And password complexity checks are few and far between. Facebook and LinkedIn have no complexity checks. For MySpace, some complexity checking is enabled; however, users can enter a password of "123456." Twitter has a basic complexity check based on a static word list that's viewable through the HTML source of the login page. You can't use "password1," but "1password" is OK.
Most social networks have implemented Captchas to prevent brute forcing of user accounts. However, there are some exceptions to that rule. Several social networks don't use Captchas for the mobile versions of their Web sites, most likely because they're a nuisance for mobile users.
On Facebook, after three failed login tries, the user is presented with a Captcha. Solve it and you get three more attempts. Facebook's mobile Web site has no Captcha protection; however, after 10 failed login attempts, the account is locked for a period of time, after which the user can try a single login again. This could be scripted to create a slow brute-force attack.
MySpace allows 10 failed login attempts, after which the user is presented with a Captcha. The MySpace mobile Web site uses an identical control. Twitter allows three failed login attempts and then presents a Captcha. Twitter's mobile site has no Captcha protection in place, so user accounts can be brute forced. LinkedIn users only get one failed login attempt before being presented with a Captcha. The LinkedIn mobile site has a Captcha presented at first login. Before you feel warm and fuzzy toward LinkedIn, however, remember it lacks in other areas, such as password complexity checks.
Bottom line, there is little consistency among social networks regarding common security controls.
You can help employees mitigate many of these risks by simply following basic password creation and management guidelines. Encourage them to choose complex passwords that contain letters, numbers, special characters, and are at least 12 characters. Longer is always better. Passwords shouldn't be able to be guessed simply by looking at the personal information on the user's social network profile.
Encourage the use of a unique password for every Web site and internal service. Push the use of passphrases over passwords. Passphrases are generally easier to remember and harder to brute force. For example, take a phrase like, "I have three favorite authors at the library." Either use the entire phrase or break it up to be: "Ih3fa@tl."
That brings us to our top recommendation: Encourage employees to use a password manager. There are some very good and easy-to-use systems available, many of them free. You need a complex password to open the application, which then auto-generates complex and unique passwords and stores them securely. Two popular password managers are KeePass (free) for Windows, Linux, and OS X, and 1Password (commercial) for Windows and OS X systems. Both can be used on mobile devices like the iPhone. It's important to make clear that you're not talking about the password managers in Web browsers.
Finally, ensure users regularly review the privacy settings on their social network profiles. Social networks in general initially set privacy settings to defaults that let anyone view information. Visit SocialMediaSecurity.com for guides and other information on how to properly configure these settings.
Tom Eston is a senior security consultant for SecureState, which provides attack and penetration testing services. Write to us at [email protected].
Easy-To-Find Brute-Force Tools