Profiling User Passwords on Social Networks

Tom Eston

The information contained in or accompanying this document is intended only for the use of the stated recipient and may contain information that is confidential and/or privileged. If the reader is not the intended recipient or the agent thereof, you are hereby notified that any dissemination, distribution, or copying of this document is strictly prohibited and may constitute a breach of confidence and/or privilege. If you have received this document in error, please notify us immediately. Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState, LLC.

Profiling User Passwords on Social Networks

Synopsis This is a whitepaper on how to determine passwords for social network accounts through information posted on the profiles of social network users. Author Name Tom Eston Table of Contents Background ............................................................................................................................................................. 3 Password Selection Theory ..................................................................................................................................... 3 Examples of Common Passwords Found on Social Networks ................................................................................ 4 Methods to Determine Passwords ......................................................................................................................... 5 Tools ........................................................................................................................................................................ 5 How Social Networks Are Not Helping The Problem .............................................................................................. 9 Defenses and Prevention ...................................................................................................................................... 10 About The Author ................................................................................................................................................. 11 References and Related Links.12 Revision Title 1.3 Date August 31, 2010

Profiling User Passwords on Social Networks

Background
Social networks have recently reached a pinnacle of popularity. Facebook has reached 500 million users, and there are now an estimated 105 million users on Twitter. Social networking sites have become so popular that they have outpaced technology that most of us take for granted such as email. For example, a recent study performed by Nielsen Online1 showed that social networks are now the fourth most popular online activity, even ahead of personal email. Millions of people are continuously sharing personal and sometimes private information with friends, acquaintances, and even total strangers on social networks. More than likely the information you share on a social network can be viewed and shared by more than just your friends. To compound the problem, social networks encourage the sharing of private and personal information with little regard for the users privacy. Social networks are designed to make money from information posted by their user base. The inadvertent disclosure of non-sensitive personal information may seem innocent but there is a dark side to posting your interests, hobbies, and even your favorite car or movies. Studies and recent privacy breaches have shown that users of social networks choose poorly crafted passwords and many of these passwords can be determined simply from information posted by the user. Tools and scripts beyond simple guessing techniques have been developed to help determine a users password. These tools can be used in some cases to brute force the users password on a social network service as well as other websites the user might use. This white paper will discuss the problem of inadvertent information sharing by users of social networks and how to defend against such attacks.

Password Selection Theory

Humans naturally dont like complexity. This applies to many things in life, and especially to password selection. While many theories have been offered and studies have been conducted in recent times, the reasons for poor password selection can be narrowed down to the following: Passwords are difficult to remember. Users will usually choose to create a password that is familiar to them with very little complexity. Passwords are a hindrance. Nearly every social network website requires a password. Users get frustrated with multiple requests for passwords so they choose the same, easy to remember password for every website. Users select passwords based on what they are familiar with. For example, users will most likely choose a password that meets any of the following criteria: o Names of the users pets, children, spouses, or significant others o Favorite sports teams o Favorite foods and drinks o Places where the user grew up or went to school o Important dates such as birthdays and anniversaries Users dont like to think about password complexity. Many users dont care what their password is so they choose an easy password based on where their fingers are on the keyboard. For example: o 12345 o qwerty

Profiling User Passwords on Social Networks o 54321 o asdf o zxcvb Alternate methods for password selection dont work. Passphrases are time consuming for the average user to create and end up being difficult to remember. Security professionals have also recommended creating a per site password. One example is where one appends a series or combination of numbers or other characters before or after the website name. For example, facebook1234 or 1234Facebook. Attackers have been known to quickly ascertain these patterns to determine passwords on other websites. Social networks dont encourage strong password selection. Most major social networking websites dont enforce any complexity or very long passwords so users naturally choose insecure ones. In addition, social networks have never expired passwords after a set period of time, mostly due to user support challenges.

Examples of Common Passwords Found on Social Networks

Recent security breaches have shown that users of social networks do in fact select poor passwords. The best example of this is the RockYou database breach2 which exposed over 32 million users passwords. While RockYou creates thirdparty applications and games for social networking websites like MySpace and Facebook, most users are known to use the same password for all of their accounts, especially for social networks. The RockYou data breach is by far the largest sampling of passwords that has been released. It gives great insight into the passwords that users select. In addition, the RockYou database breach allowed security researchers to calculate the most common passwords out of this very large dataset. Security research firm Imperva released a white paper titled Consumer Password Worst Practices, which calculated the most common passwords found from the RockYou database breach3. Figure 1 shows the top twenty passwords. Rank 1 2 3 4 5 6 7 8 9 10 Password 123456 12345 123456789 Password iloveyou princess rockyou 1234567 12345678 abc123 Rank 11 12 13 14 15 16 17 18 19 20 Password Nicole Daniel babygirl monkey Jessica Lovely michael Ashley 654321 Qwerty

Figure 1. Top twenty passwords from the RockYou database breach By just quickly reviewing this list you can see many of the password patterns that have been discussed in the previous section. One attack to consider is to simply try the top twenty passwords when attacking a user account on a social network. This would be a simple dictionary brute force style attack. For example, just by trying the number one password 123456 you have a slightly better chance of the attack being successful than just taking a simple guess at the password.

Profiling User Passwords on Social Networks

Methods to Determine Passwords

There are several methods to attempt to determine a users password based on information posted on the users social network profile. Simply guess the password. It may seem trivial to think about, but based on the information you find on a profile try guessing the password. For example, try the top twenty from the RockYou database, their favorite foods and drinks, names of significant others, as well as hobbies and sports teams. You may get lucky. Look for answers to password reset questions. Users of social networks sometimes inadvertently reveal information that could be used to reset passwords either on the social network itself or on popular webmail services such as Yahoo! Mail. For example, on a users Facebook profile you might see a note called 25 Random Things about You. Contained in these types of notes is information like mothers maiden name, place of birth, the color of their first car, etc. These questions are similar, if not identical, to many password reset functions of popular webmail or even online banking services. If an attacker can gain access to the users webmail account using this method, all it takes is using the password reset functionality on the social network to send a new password (or reset link) to the email account under the attackers control. Create a wordlist to narrow down keywords mentioned in the profile. Several tools are available and discussed in the next section that can collect keywords from a web page and put them into a wordlist. Once you have this list you can narrow down words that you might try in a password guessing attack. Brute force the password. Using the wordlist, you can attempt to brute force the users password. This attack is largely dependent on how accurate your wordlist is and if the social network employs any brute force prevention mechanisms such as CAPTCHAs to prevent this type of attack.

Tools
Several free and open source tools are available to create wordlists that can be used for brute force attacks to obtain passwords of social network users. Following is a list of the most useful tools and scripts that can be used to generate wordlists from social network profiles. CeWL - Custom Wordlist Generator CeWL4 was created by security researcher Robin Wood as a way to create a custom wordlist based on spidering a website. This functionality is perfect for quickly determining unique words on a social network profile. CeWL is available for download from Woods website, in the Samurai WTF5 (Web Testing Framework), and within the popular BackTrack 4 penetration testing distribution6.

Profiling User Passwords on Social Networks Figure 2 shows the typical output when running CeWL targeting a Twitter profile.

Figure 2. Output of CeWL after it discovered unique words from a Twitter profile RSMangler RSMangler is another tool created by Robin Wood7 which compliments CeWL or any other tool that generates a wordlist. RSMangler will take a wordlist and generate mangled combinations or manipulations of those words. For example, if you have three words in your wordlist: tom, eston, social; RSMangler would output these as: tomeston tomsocial estontom socialeston socialtom etc.

You also can add common permutations such as 123 to the mangling rules. The RSMangler tool can be downloaded from the RandomStorm8 website. AWLG - Associative Word List Generator AWLG is a website9 that will generate a wordlist based on your search terms. These terms are queried from the website using typical search engine techniques. For example, if you search for tom, eston, agent0x0, zombies, spylogic, security, justice; AWLG will search the Internet for those terms and give you back a listing of relevant keywords.

Profiling User Passwords on Social Networks Figures 3 and 4 show a search with AWLG and its related output.

Figure 3. The AWLG front end which searches the Internet to create a custom wordlist

Figure 4. The result of AWLG searching for keywords associated based on the original search

Profiling User Passwords on Social Networks CUPP Common Users Password Profiler CUPP is a wordlist generation script created by Muris Kurgas. CUPP asks a series of questions to generate a custom wordlist based on the answers given by the user. This tool can be quite handy if you have already found out significant information about the user through their social network profile. CUPP can be found pre-installed in the BackTrack 4 penetration testing distribution. Figure 5 shows an example of some of the questions CUPP asks.

Figure 5. CUPP asks relevant questions to determine a custom wordlist based on the user Mark Baggett's userpass.py script Mark Baggetts script userpass.py10 takes a unique approach to generating wordlists as they are customized automatically on a per user basis. An explanation of how the script works follows: A search for publicly available LinkedIn profiles through Google based on a target company is initiated. Next, the script will attempt to spider any websites that the user has linked in their LinkedIn profile such as blogs or company sites. The script pulls the users profile picture and attempts to check a website called tineye to determine if that
profile picture matches up with others found on the Internet. If so, those websites are spidered for keyword information. Lastly, all the spidered websites are run through CeWL to generate custom wordlists.

Marks usepass.py script is available for download from the PaulDotCom website11.

Profiling User Passwords on Social Networks

How Social Networks Are Not Helping the Problem

Social networks are designed to allow for sharing personal information with others. Without this sharing, social networks would cease to exist. Protecting your information is not in their business model. The more information you share the more valuable you are to them. Privacy of your information is mostly dependent on what you post as well as how privacy settings are configured for each social network. Social networks have generally not implemented good security controls for safeguarding their users accounts. A list of these problems follows: Minimum password length on social networks. All the major social networks (Facebook, MySpace, Twitter, LinkedIn) have the same minimum password length of six (6) characters. Interestingly, MySpace will only allow a user to select a password under fifty (50) characters. Password complexity checks are few and far between. Social networks do not enforce robust password complexity rules (if at all). o Facebook - No complexity check. o MySpace - Basic (broken) complexity check. Viewing the HTML source shows some complexity checking is enabled; however, users can enter a password of "123456". o Twitter - Basic complexity check (based on static word list which is viewable through the HTML source of the login page). This is a poor way of implementing password complexity checks. For example, you can't select a password of "password1" but you can select a password of "1password". o LinkedIn - No complexity check. Brute force attack prevention. Most social networks have implemented CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) to prevent brute forcing of user accounts. However, there are some exceptions to that rule. Several social networks do not implement CAPTCHAs for the mobile versions of their websites. This is most likely because CAPTCHAs are a nuisance for mobile users. For example, Twitter accounts can be brute forced through the mobile versions of their website. The following is a list of the major social networks and their CAPTCHA protections on their main website. Exceptions are noted. o Facebook After three (3) failed login attempts, the user is presented with a CAPTCHA. Solve the CAPTCHA and the user is allowed three more attempts. The Facebook mobile website (m.facebook.com) has no CAPTCHA protection in place; however, after ten (10) failed logins the account is locked out for a period of time after which the user can try a single login again. This could be scripted to create a slow brute force attack. o MySpace After ten (10) failed login attempts the user is presented with a CAPTCHA. The MySpace mobile website (m.myspace.com) has an identical control with CAPTCHAs in place. o Twitter - After three (3) failed login attempts the user is presented with a CAPTCHA. The Twitter mobile site (mobile.twitter.com) has no CAPTCHA protection in place. User accounts are able to be brute forced. o LinkedIn After one (1) failed login attempt the user is presented with a CAPTCHA. The LinkedIn mobile site (m.linkedin.com) has a CAPTCHA presented at first login.

Profiling User Passwords on Social Networks Based on these observations, it appears that while one social network enables strict controls around preventing brute force attacks (LinkedIn), that same social network lacks in other areas such as password complexity checks. There is very little consistency among the social networks regarding these common security controls.

Defenses and Prevention

Besides the social networks themselves ensuring better security controls for their users, users can mitigate many of these risks by simply following basic guidelines around password creation and management. With social networks, personal responsibility of your information and login credentials is key. Recommendations follow to help prevent password guessing and brute force attacks on social networks. 1. Choose a complex password Choose a password that contains letters, numbers, special characters and is at least twelve (12) characters in length. In the case of passwords, longer is always better. Passwords should not be able to be guessed simply by looking at the personal information on your social network profile. A simple test is to take your password and see if it has any reference to you, your family members, pets, hobbies, etc. For example, fluffy15 is a poor password choice while X@*4!5~a6s}V is a much more secure one. This is also harder to remember; however, see #3 and #5 on passphrases and password managers. 2. Choose a unique password for every website Suppose your Facebook account or webmail gets hacked and you have the same password for every website. This means that you have effectively compromised all the accounts with that same password. Many users choose the same user name and password for every website. Always create a unique password for each website you use. 3. Choose passphrases over passwords if you can Whenever possible you should choose a passphrase instead of a password. Passphrases are generally easier to remember, are much longer than passwords, harder to brute force, and can be easier to create. For example, suppose you have a favorite saying like I like Zombie Movies especially at midnight in December on a train! Take this phrase and you can either use the entire phrase as is, or you can break this up by taking the first letter of each word. In this case your password would be: IlZMe@miDoat!. 4. Try not to use "throw away" passwords Throw away passwords are ones you dont care about. They are easy to remember as well as guess. You may hear advice like Only use strong, complex passwords for sites with sensitive data like online banking. This is bad advice as all your passwords should be complex and unique. The real problem with throw away passwords is that humans are naturally lazy and if you get into the habit of creating a throw away password, before you know it all of your passwords are the same. Get out of this habit now and see #5. 5. Use a password manager The best recommendation of all is to use a password manager to take over the management of your passwords.

10

Profiling User Passwords on Social Networks There are some very good and easy to use solutions, and many are even free of charge. While you still need a complex password to open the application storing your passwords (see #1 and #3), these programs can auto generate complex and unique passwords and store them securely. Two popular password manager programs are KeePass12 (free) for Windows, Linux, OSX and 1Password13 (commercial) for Windows and OSX systems. KeePass and 1Password also can be used on mobile devices like the iPhone. Important: a password manager is not the password manager in your web browser! These are dangerous to use, especially if your browser or computer gets compromised. 6. Review your privacy settings on your social network profiles Lastly, review the privacy settings on your social networks to ensure they meet your expectations. Social networks in general initially set privacy settings to many defaults that allow anyone to view your information. Visit SocialMediaSecurity.com14 for guides and other information on how to properly configure these settings.

About the Author

Tom Eston is a Senior Security Consultant for SecureState. Tom is a senior member of SecureStates Profiling team which provides attack and penetration testing services for SecureStates clients. Tom is actively involved in the security community and focuses his research on the security of social media. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, cohost of the Security Justice and Social Media Security podcasts, and is a frequent speaker at security user groups and national conferences including Notacon, OWASP AppSec, Defcon, and Shmoocon.

11

Profiling User Passwords on Social Networks

References and Related Links

Acknowledgements of assistance with this research: Kevin Johnson, Robin Wood, Mark Baggett, Chris Clymer, Jake Garlie, and Alex Hamerstone.
1 2

http://en-us.nielsen.com/content/nielsen/en_us/news/news_releases/2009/march/social_networks__.html http://techcrunch.com/2009/12/14/rockyou-hacked/ 3 http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf 4 http://www.digininja.org/projects/cewl.php 5 http://samurai.inguardians.com/ 6 http://www.backtrack-linux.org/ 7 http://www.digininja.org/projects/rsmangler.php 8 http://www.randomstorm.com/rsmangler-security-tool.php 9 http://awlg.org/index.gen 10 http://pauldotcom.com/wiki/index.php/Episode206 11 http://pauldotcom.com/userpass.py 12 http://keepass.info/ 13 http://agilewebsolutions.com/products/1Password 14 http://socialmediasecurity.com

12