Don't hold your breath waiting for social network operators to help. All the major sites--Facebook, MySpace, Twitter, LinkedIn--have the same minimum password length of six characters. And password complexity checks are few and far between. Facebook and LinkedIn have no complexity checks. For MySpace, some complexity checking is enabled; however, users can enter a password of "123456." Twitter has a basic complexity check based on a static word list that's viewable through the HTML source of the login page. You can't use "password1," but "1password" is OK.
Most social networks have implemented Captchas to prevent brute forcing of user accounts. However, there are some exceptions to that rule. Several social networks don't use Captchas for the mobile versions of their Web sites, most likely because they're a nuisance for mobile users.
On Facebook, after three failed login tries, the user is presented with a Captcha. Solve it and you get three more attempts. Facebook's mobile Web site has no Captcha protection; however, after 10 failed login attempts, the account is locked for a period of time, after which the user can try a single login again. This could be scripted to create a slow brute-force attack.
MySpace allows 10 failed login attempts, after which the user is presented with a Captcha. The MySpace mobile Web site uses an identical control. Twitter allows three failed login attempts and then presents a Captcha. Twitter's mobile site has no Captcha protection in place, so user accounts can be brute forced. LinkedIn users only get one failed login attempt before being presented with a Captcha. The LinkedIn mobile site has a Captcha presented at first login. Before you feel warm and fuzzy toward LinkedIn, however, remember it lacks in other areas, such as password complexity checks.
Bottom line, there is little consistency among social networks regarding common security controls.
You can help employees mitigate many of these risks by simply following basic password creation and management guidelines. Encourage them to choose complex passwords that contain letters, numbers, special characters, and are at least 12 characters. Longer is always better. Passwords shouldn't be able to be guessed simply by looking at the personal information on the user's social network profile.
Encourage the use of a unique password for every Web site and internal service. Push the use of passphrases over passwords. Passphrases are generally easier to remember and harder to brute force. For example, take a phrase like, "I have three favorite authors at the library." Either use the entire phrase or break it up to be: "[email protected]"
That brings us to our top recommendation: Encourage employees to use a password manager. There are some very good and easy-to-use systems available, many of them free. You need a complex password to open the application, which then auto-generates complex and unique passwords and stores them securely. Two popular password managers are KeePass (free) for Windows, Linux, and OS X, and 1Password (commercial) for Windows and OS X systems. Both can be used on mobile devices like the iPhone. It's important to make clear that you're not talking about the password managers in Web browsers.
Finally, ensure users regularly review the privacy settings on their social network profiles. Social networks in general initially set privacy settings to defaults that let anyone view information. Visit SocialMediaSecurity.com for guides and other information on how to properly configure these settings.
Tom Eston is a senior security consultant for SecureState, which provides attack and penetration testing services. Write to us at [email protected].
Easy-To-Find Brute-Force Tools