Facebook Unveils Security Initiative That Searches Web For Stolen Passwords

Chuck Bednar for redOrbit.com – Your Universe Online
Facebook has revealed that it has been monitoring anonymous posting websites, searching for stolen passwords, testing them to see if they belong to members of the social network and disabling them as necessary.
This more proactive approach to user security, which was detailed by Facebook security engineer Chris Long in a blog post Friday, centers around a system in which officials with the company watch for reports of large-scale data breaches and then test those stolen credentials to see if they match the emails and passwords of Facebook members.
“This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form,” Long said. “No one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time. If we find a match, we’ll notify you the next time you log in and guide you through a process to change your password.”
Basically, instead of comparing one plain text username-password combination to another, an automated security system actually compares their encrypted equivalents, explained Ashley Feinberg of Gizmodo. The upside to this is that it allows them to determine if log-in information has been compromised without actually knowing what those credentials are, thus maintaining the privacy of their users.
“If the email and hash combination doesn’t match, we don’t take any action. A mismatch indicates that the stolen password is different than the password you use on Facebook, and therefore an attacker wouldn’t be able to use that password to access your Facebook account,” Long said. “If the email address and hash combination does match, we will notify you the next time that you use Facebook and guide you through a process to change your password.”
According to Business Insider’s Julie Bort, Facebook has actually been doing this since last year’s massive hack of Adobe passwords. However, the company wanted to make the program public following reports earlier this week that millions of Dropbox passwords may have been swiped.
Of course, as Feinberg points out, “you shouldn’t be using the same password across multiple accounts in the first place. And two-factor authentication is almost always the best preemptive defense you can take. Still, if the worst does happen, and your password for every account you’ve had since middle school does end up on the big, wide internet, at least it’s being used for some good.”
Russell Brandom of The Verge added that the program is “a sign of how the security world has shifted in recent years. What used to be a public catastrophe is now easily protected against by ecosystem-level protections… password dumps that recycle old data from old hacks are causing less damage and raising less of an alarm. If you’ve ever worried about Russian hackers taking over your Facebook page, that’s very good news.”
In addition, Long suggested using Facebook Login when signing into other websites, since the feature will prevent the need to create or remember a new username or password. That third-party website will not be able to post to a user’s Facebook account without their permission, he said, and if it winds up being targeted by hackers, the attacker would not have a copy of the individual’s credentials.
—–
Shop Amazon – Kindle Fire HDX – A Powerhouse Tablet Built for Work and Play
—–