Why RockYou Should Have Federated Identities
In case you haven't seen the news, RockYou's users have become casualties in the latest web privacy breach. TechCrunch detailed RockYou's numerous transgressions here:
Earlier today news spread that social application site RockYouhad suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers. RockYou have yet to inform users of the breach, and their blog is eerily silent – but the details of the security breach are going from bad to worse.
32 million users. If you thought you were having a bad day, imagine what RockYou's leadership team is dealing with. Winning back the trust of a single user can be challenging, let alone the other 31,999,999.
Of course it's easy to pile on RockYou for the many boneheaded decisions that led to this breach. Users can't protect themselves if they don't have the proper tools, and the act of promoting the use of simple passwords by practicing non-existent password policies is a virtual invitation to hackers. Sadly enough, even stricter policies could not have saved RockYou since they elected to store passwords in the clear. In the applications world this is the ultimate rookie mistake, and it's difficult to imagine a company like RockYou making it.
Unfortunately the impact of RockYou's mistakes has ripple effects for other social network partners. As TechCrunch revealed, RockYou collected user credentials for integrated sites such as Facebook and MySpace and stored them (in clear text) in their database. So if you're one of the unfortunate RockYou users who submitted login credentials for both those networks, you have more than just your RockYou data to worry about.
So besides following through on their promise and not storing the data to begin with, what could RockYou have done to work around the issue of exposing login credentials from their partner networks to hackers? That's easy: FEDERATE! Federated authentication is a protocol that allows companies to trust incoming login requests from known sources, thereby eliminating the need for storing a separate login and password. Simply stated, federation is single sign-on deployed across the internet. This means user identities are more portable, the user experience is more seamless, and the login data is more secure since it does not need to be stored in multiple locations.
Sounds complicated, right? But the reality is you're probably already using forms of federation in your every day web experience. Authentication services like Facebook Connect and Twitter's oAuth are examples of federation in action. Why expose yourself to more risk by storing credentials when you can simply piggyback on what your partner is already doing?
Of course, the value of federation isn't limited to social networks. Large enterprises like CA are using federated security models to drive partnerships and other business relationships. Our own Todd Clayton has described a vision for a Federation Oriented Architecture where the principles of identity federation are applied other data. There is no doubt the need for identity federation is on the rise, and we expect to see plenty of work in this area in 2010.
Unfortunately hindsight cannot save RockYou from the embarrassment over this mess. The users who choose to stay with them can only hope they'll learn from their mistakes.