Facebook Automates Fight Against Hackers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Social
News
10/17/2014
12:50 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Automates Fight Against Hackers

Here's a sneak peek into the system Facebook uses to secure your account when other websites are hacked.

Facebook: 10 New Changes That Matter
Facebook: 10 New Changes That Matter
(Click image for larger view and slideshow.)

When a hacker reportedly stole 7 million Dropbox user credentials this week, Facebook ensured that the leaked data didn't compromise your Facebook account. Today, the social network offered a peek into the system it uses to keep users' accounts secure, even when other websites are breached.

"Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites," said Chris Long, security engineer at Facebook. "Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public ['paste'] lists, and responding to these situations is time-consuming and challenging."

Facebook's automated system scans for large-scale data breaches and monitors a selection of sites that hackers commonly use to divulge the stolen data. "Once we find a set of stolen credentials, we pass the data into a program that parses it into a standardized format," Long said.

[Catch up on the latest Facebook changes. Read Facebook: 10 New Changes That Matter.]

After Facebook's system downloads and parses the data, it hashes each password using its own internal algorithm. Hashing turns a plain-text password into a string of characters that are nearly impossible to decipher.

Because Facebook stores passwords as hashes, the company can't compare a password directly to the hacker's database. "We need to hash it first and compare the hashes," Long explained.

Facebook then uses an automated system to compare each password against its own database of email addresses and passwords for matches. If the hacked credentials match up to your Facebook credentials, the company will guide you through a process to change your password the next time you log in.

If the email and hash combination doesn't match, it means the stolen password is different from your Facebook password, so hackers won't be able to use that information to access your account.

"The problem of password reuse on multiple websites is endemic and well documented," Long said. "The risks are also clear: If you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts."

While Facebook's process aims to keep your account secure, there are other steps you can take to improve your safety.

Facebook's Login Approvals option uses two-factor authentication to verify your access from a browser you haven't used before. To enable this, visit your Security Settings page, check the box next to the Login Approvals option, and click Save Changes.

Your Security Settings page has other options you can opt into to keep your account safe. These include alerts via email, text, message, and push notification if your account is accessed from a computer or device you haven't used before; adding friends to your Trusted Contacts list, which Facebook will notify if you've been locked out of your account; and details such as the browsers you often use and locations where you've logged into Facebook, which you can review and revoke access when necessary.

Just when conventional wisdom had converged around the cloud being a software story, there are signs that the server market is poised for an upset, too. Get the 2014 State of Server Technology report today (free registration required).

Kristin Burnham currently serves as InformationWeek.com's Senior Editor, covering social media, social business, IT leadership and IT careers. Prior to joining InformationWeek in July 2013, she served in a number of roles at CIO magazine and CIO.com, most recently as senior ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
nomii
50%
50%
nomii,
User Rank: Ninja
10/22/2014 | 12:55:14 AM
Re: two-factor authentication
@mak63 thanks for the elaboration. I am now more comfortable and feels that double authantication is fruit ful if used in a true perspective. But it will be having some hitches as nothing is absolute in all senses.
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
10/21/2014 | 7:07:05 PM
Facebook
Facebook is doing some good things to fight hackers. The only problem is the hackers might not get your data but Facebook has alraedy proven that they are their own worst enemy.
mak63
50%
50%
mak63,
User Rank: Ninja
10/21/2014 | 3:57:05 PM
Re: two-factor authentication
@nomii

I'm incorrect saying that the two-factor authorization is based an IP. Actually, I made a test today from same IP, but different computers and Chase rejected my login saying it didn't recognized my computer. So, the two-factor authorization depends (in this case) on cookies and not IPs.
nomii
50%
50%
nomii,
User Rank: Ninja
10/21/2014 | 11:20:07 AM
Re: Same password
@Kristin I think thats the best and most sensible thing and I feel that its best for most of us. We have tried many options but feel that old is gold. I now prefer to have password written down till the time I find something special which will satisfy me with its safety procedures.
nomii
50%
50%
nomii,
User Rank: Ninja
10/21/2014 | 11:14:24 AM
Re: two-factor authentication
@Mak63 can you please elaborate the IP address authorization as I am having some doubts in case of you log on from some other location with different IP address or with some proxy due the site is not accessible in your locality due any reason. You are not providing fake info but you IP address is not same?
nomii
50%
50%
nomii,
User Rank: Ninja
10/21/2014 | 11:09:45 AM
Re: Hacking problem
@Sachin EE i agree with you that browser history can play a significant role in hacking. I think we need to keep the history to minimum just to avoid that lapse and try to refresh our history settings on regular occassions. I think another option which people use without knowing its affect s is automatic form filling option. I think most of us feel comfortable with auto filing as it has taken quite a burden from our heads of remebering long or difficult passwords but on other hand it is giving free hand to hackers as well.
nomii
50%
50%
nomii,
User Rank: Ninja
10/21/2014 | 11:02:48 AM
Re: Same password
@[email protected] I agree with you that its really difficult task to remember so many passwords. As a remedy many people use to have same passwords for all of their accounts which made them liable to be hacked. People use a method of writing it down for remeberance but it is also a bad option as in case of leakage they are liable to be hacked. I think there is no easy option than keeping one lengthy sequence of word and using different combinations on different accounts.
freespiritny25
50%
50%
freespiritny25,
User Rank: Ninja
10/20/2014 | 1:38:56 PM
Re: Same password
I text myself the passwords. Probably not smart if someone finds my phone, but I lock that too. I wish there was an easier way, but using the same password makes us a target. It's like leaving the car parked and unlocked, eventually something will get stolen.
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/20/2014 | 12:59:28 PM
Re: Same password
Kristen, my wife does same thing. Of course I laugh at her when she can't find her notebook where she keeps them. :-)  No system is perfect.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Author
10/20/2014 | 10:22:26 AM
Re: Same password
I'll admit it: I've defaulted to the old pen-and-paper method for usernames and passwords. 
Page 1 / 2   >   >>
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll