The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Login with Facebook, Google and LinkedIn

Share:
Is your management considering logins using Facebook, Google or LinkedIn accounts? What are the risks? One consideration is password policies. I experimented to find out what were the effective password policies in place:
SiteMinimum CharactersReuse?Trivial?All lower-case?Expiration
FaceBook6YesNoYesNo
Google8NoNoYesNo
LinkedIn6YesNoYesNo
All 3 prevented the use of trivial passwords such as 123456. However, all accepted a password consisting only of lower-case letters, and none of the services seems to implement password expiration, at least not in a reasonable time frame (1 year or less). Password expiration is necessary to protect against password guessing attacks, because given enough time a slow trickle of systematic attempts will succeed. The weaker the other password requirements and protections (e.g., number of tries allowed/minute) are, the quicker the expiration period should be. In my opinion, all 3 have weak password policies overall. However, if you *must* have a "login with your X account" feature, I suggest using Google's service and not the others, at least when considering only password policies. Google has the best policy by far (potentially thousands of times stronger), with 8 characters and not allowing the re-use of previous passwords.

After 16 login failures, Google presents a captcha. This struck me as a large number, but FaceBook allows an even greater number of attempts before blocking (I lost count). On Facebook, you can continue login attempts simply by clearing the Facebook cookies in the browser, which apparently provides an unlimited number of login attempts and a great weakness towards password guessing attacks. But then, clearing the browser's cookies also bypasses the Google captcha... How disappointing. LinkedIn is the only one that didn't lose track of login attempts by clearing browser cookies or using a different browser; after 12 failed attempts, it required answering a captcha. So, if you must have 2 login services, I would suggest Google and LinkedIn, and to avoid Facebook.

Other considerations, such as the security of the login mechanism and trustworthiness of the service, are not addressed here.

Comments

Leave a comment

Commenting is not available in this section entry.