Facebook Automates Fight Against Hackers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Social
News
10/17/2014
12:50 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Automates Fight Against Hackers

Here's a sneak peek into the system Facebook uses to secure your account when other websites are hacked.

Facebook: 10 New Changes That Matter
Facebook: 10 New Changes That Matter
(Click image for larger view and slideshow.)

When a hacker reportedly stole 7 million Dropbox user credentials this week, Facebook ensured that the leaked data didn't compromise your Facebook account. Today, the social network offered a peek into the system it uses to keep users' accounts secure, even when other websites are breached.

"Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites," said Chris Long, security engineer at Facebook. "Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public ['paste'] lists, and responding to these situations is time-consuming and challenging."

Facebook's automated system scans for large-scale data breaches and monitors a selection of sites that hackers commonly use to divulge the stolen data. "Once we find a set of stolen credentials, we pass the data into a program that parses it into a standardized format," Long said.

[Catch up on the latest Facebook changes. Read Facebook: 10 New Changes That Matter.]

After Facebook's system downloads and parses the data, it hashes each password using its own internal algorithm. Hashing turns a plain-text password into a string of characters that are nearly impossible to decipher.

Because Facebook stores passwords as hashes, the company can't compare a password directly to the hacker's database. "We need to hash it first and compare the hashes," Long explained.

Facebook then uses an automated system to compare each password against its own database of email addresses and passwords for matches. If the hacked credentials match up to your Facebook credentials, the company will guide you through a process to change your password the next time you log in.

If the email and hash combination doesn't match, it means the stolen password is different from your Facebook password, so hackers won't be able to use that information to access your account.

"The problem of password reuse on multiple websites is endemic and well documented," Long said. "The risks are also clear: If you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts."

While Facebook's process aims to keep your account secure, there are other steps you can take to improve your safety.

Facebook's Login Approvals option uses two-factor authentication to verify your access from a browser you haven't used before. To enable this, visit your Security Settings page, check the box next to the Login Approvals option, and click Save Changes.

Your Security Settings page has other options you can opt into to keep your account safe. These include alerts via email, text, message, and push notification if your account is accessed from a computer or device you haven't used before; adding friends to your Trusted Contacts list, which Facebook will notify if you've been locked out of your account; and details such as the browsers you often use and locations where you've logged into Facebook, which you can review and revoke access when necessary.

Just when conventional wisdom had converged around the cloud being a software story, there are signs that the server market is poised for an upset, too. Get the 2014 State of Server Technology report today (free registration required).

Kristin Burnham currently serves as InformationWeek.com's Senior Editor, covering social media, social business, IT leadership and IT careers. Prior to joining InformationWeek in July 2013, she served in a number of roles at CIO magazine and CIO.com, most recently as senior ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
10/17/2014 | 4:22:05 PM
Pretty brilliant -- and expensive
That's a smart strategy that should make people feel better about using FB to authenticate to other sites. However, think about how much it costs to maintain the expertise to find and mine all of these sites. 
H@mmy
50%
50%
[email protected],
User Rank: Ninja
10/18/2014 | 6:45:01 AM
Same password
Its true that many people use same password on different websites which makes the situation worse, but it is not easy for anyone to remember 20-25 different passwords and keep guessing when you need to log in. These security breaches must put security researchers to action.
Ariella
50%
50%
Ariella,
User Rank: Author
10/19/2014 | 10:40:40 AM
Re: Same password
@[email protected] true. What they should do, though, is not use birthdays and anniversaries that are made public on FB as their FB or other passwords.  
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
10/19/2014 | 1:23:38 PM
Hacking problem
""The problem of password reuse on multiple websites is endemic and well documented," Long said. "The risks are also clear: If you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts.""

The problem with the internet is that it leaves traces of where you've been. A skilled hacker can login using the same password in multiple sites by checking your browser history. If browsers could come up with better protection then hackers would have had less dexterity in getting illegal information.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
10/19/2014 | 1:26:24 PM
Re: Same password
What people can do though, is have 4 to 5 passwords thoroughly memorized becaused storing it on a digital device with an internet connection would mean it is possible to hack that device as well. In house automation systems biometri signatures are used as passwords and that is a safe bet. If facebook or other sites could use smart password protection then that wouldn't be a problem.
mak63
100%
0%
mak63,
User Rank: Ninja
10/20/2014 | 12:35:36 AM
two-factor authentication
Facebook's Login Approvals option uses two-factor authentication to verify your access from a browser you haven't used before.

Chase has been doing something similar for a long time. If i'm not mistaken, Chase checks your IP address, not a browser.
I believe two-factor authentication should be a default action when accessing an important site from another computer, but not so much from another browser.
jagibbons
100%
0%
jagibbons,
User Rank: Ninja
10/20/2014 | 7:08:45 AM
Re: two-factor authentication
One reason behind requiring a two-factor verification for each browser is so that malware with built-in tools to access the internet can't piggy-back on a previous authentication that may be sitting on that computer. I'm sure there are others as well, but I find two-factor authentication to be a great way of making sure the individual using the password at that time is the individual who owns that password.
jagibbons
100%
0%
jagibbons,
User Rank: Ninja
10/20/2014 | 7:12:09 AM
Re: Same password
Or, use a password vault tool. These tools generate and store an infinite number of unique passwords. They are secured by a single pin that you use to open the tool, but it is easy to protect a single password or pin much like one would protect their ATM pin. I use a tool called Splash ID Safe, that syncs my encrypted password data between a computer, my Android phone and my iPad. There are at least half a dozen good tools like this availalbe out there.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Author
10/20/2014 | 10:22:26 AM
Re: Same password
I'll admit it: I've defaulted to the old pen-and-paper method for usernames and passwords. 
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/20/2014 | 12:59:28 PM
Re: Same password
Kristen, my wife does same thing. Of course I laugh at her when she can't find her notebook where she keeps them. :-)  No system is perfect.
Page 1 / 2   >   >>
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll