I'm on Facebook. I've got more colleagues there as "friends" than i have family and friends from my personal life. Yes, i do draw a very clear line between colleague and friend. Colleague =! friend, period.
Not long ago somebody found out that Twitter had a list of 370 passwords that they had banned from being used by their users. The list was easily available, you could see it in the page source code at their website. Does Facebook have any similar lists of forbidden words, phrases or common passwords? Have they implemented technical rules to enforce the written policy? Lets have a look at the Facebook settings for my own account: (slightly mangled username/password clues and in Norwegian, for obvious reasons)
The Facebook password policy says (comments by me in italic):
1. When you change your password you will be logged off on all other computers
A password policy should be regarded as requirements. This is a piece of information, and does not belong in a policy.
2. Do not use the same password as you are using on other internet services
Good advice, impossible for anyone (including Facebook) to control, limit or audit in any way. I would remove it from the policy, and write another section with good advice as well. Oh, and rather few seems to follow this advice anyway.
3. Your new password must be at least 6 characters in length
Google or Bing: the current best practice recommendation these days is minimum 8 characters. It seems as the vendors and security community recommends minimum 8, while the service providers like Twitter, Yammer, Facebook and others are lagging behind, with 5 or 6 character length requirements. Why?
4. Use a combination of letters, numbers and characters
I presume special characters for the last part, but interesting enough they list 3 character groups instead of the four we've got (upper, lower, numbers and special characters). And then, as a separate bullet, comes a piece of information that really belongs in a policy:
5. The system differentiates between upper and lower letters. Remember to check your CAPS LOCK key.
So there you have it, the Facebook password policy. Are they requirements, or just a piece of good advice? Have Facebook really implemented these requirements technically?
I've got a unique password on my Facebook account which is far and above these requirements. I logged in, and wanted to test my curiosity. In the above picture i'm trying to change my password into abcdef, and i got the following result:
"You cannot use a common wordlist word as your password. Use a more secure password". Uhm, ok. What about 123456? No, same answer. Well, lets try the ultra-top-secret non-wordlist-existing password fedcba then, and lets see what happens:
Your password has been changed. Darn.
Seriously Facebook; there really should be consistency between your written and your technical implementation of a password policy. The way it is now, there is very little consistency between what you say and what you do. I don't know who does your audits, but i really hope they read my blog and calls you for a quick chat on your inconsistencies.
.... and i will change my password - again. Did i mention that Facebook does not seem to enforce periodic password changes, neither do they maintain any password history so that you (or somebody else) can change your password back to the previous one? Not good.