Facebook believes you shouldn’t have to worry about hacked web passwords.
It’s there to protect you, it says.
After the news that hackers obtained 7 million Dropbox passwords by hacking a third-party service that works with Dropbox, Facebook says it has a plan to ensure this won’t happen on its platform.
Security engineer Chris Long says Facebook has been crawling around websites where hackers sell and expose passwords. Since most people use the same username/password combination for multiple websites, Facebook checks if any of the hacked passwords are used for Facebook accounts.
If if finds a hacked password, Facebook disables the password and notifies the account holder that this password is owned by hackers.
(By the way, Facebook doesn’t store any of these stolen passwords. It uses what’s known as a “hash” — a unique mathematical representation of them. If the hashes are identical, then it knows the user names/passwords are identical without knowing exactly what they are.)
Facebook has actually been doing this ever since that huge hack of Adobe passwords last year, it says.
With the latest Dropbox password news, Facebook suggests you take advantage of this safekeeping service by using your Facebook login for your other websites.
The idea is that you trust Facebook with your personal information, but you don’t need to share any of it with other apps on the Web that you use. It gives you control over what these apps can track about you, and what they can share to your Facebook profile.
The problem, of course, is that some people think that Facebook is the site doing too much tracking. Using Anonymous Login doesn’t stop Facebook from knowing who you are and seeing which apps you use.
Still, there might be some benefit to hiring Facebook to be your stolen password watchdog.
Even if you use a password manager to create unique, hard-to-crack passwords for every website, it’s hard to know when hackers have stolen those passwords. Unless the company alerts you to a hack, you might not even know that things like your private photos or documents stored in the cloud are at risk.
If you are going to start using Facebook login (Anonymous or otherwise) as your main internet login, Facebook advises you to add some extra security to it. Sign up so that Facebook will alert you if your login is being used from an unknown PC or phone.
Here’s the full blog post:
Keeping Passwords Secure
By Chris Long, Security Engineer at Facebook
The Facebook Security team has always kept a close eye on data breach announcements from other organisations. Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites. Unfortunately, it’s common for attackers to publicly post the email addresses and passwords they steal on public ‘paste’ sites. Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public lists, and responding to these situations is time-consuming and challenging.
Our team wanted to do something to improve this situation, so we built a system dedicated to further securing people’s Facebook accounts by actively looking for these public postings, analysing them, and then notifying people when we discover that their credentials have shown up elsewhere on the Internet. To do this, we monitor a selection of different ‘paste’ sites for stolen credentials and watch for reports of large scale data breaches. We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook. This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time. If we find a match, we’ll notify you the next time you log in and guide you through a process to change your password.
1. Once we find a set of stolen credentials, we pass the data into a program that parses it into a standardized format.
2. After the data has been downloaded and parsed, we hash each password using our internal password hashing algorithm. Since Facebook stores passwords securely as hashes, we can’t simply compare a password directly to the database — we need to hash it first and compare the hashes.
3. Once we have the list of stolen email addresses and hashed passwords, an automated system checks each one of them against the Facebook internal databases to see if any of the email addresses and hashed passwords match valid login information on Facebook.
4. If the email and hash combination doesn’t match, we don’t take any action. A mismatch indicates that the stolen password is different than the password you use on Facebook, and therefore an attacker wouldn’t be able to use that password to access your Facebook account.
5. If the email address and hash combination does match, we will notify you the next time that you use Facebook and guide you through a process to change your password. Changing your password will invalidate the stolen password and help protect Facebook account.
This system has worked very well for us in the past, but we recognise that preventing stolen credentials is also important. The problem of password reuse on multiple websites is endemic and well documented. The risks are also clear: if you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts. Managing many different passwords can be daunting, but picking a good password manager that you trust can make the process much easier.
And in the spirit of National Cyber Security Awareness Month, here are a few additional ideas for protecting yourself online: