Facebook has again shown how not to do password security as Krebs on Security broke the news that Facebook has been storing plaintext passwords for years in an internal, searchable database.
The number of potentially impacted passwords are in the hundreds of millions and the number of employees able to peruse the list in the tens of thousands. Operationally, the numbers are lower as Kreb’s source within Facebook mentioned 2,000 Facebook employees making about 9 million queries.
Plaintext and no salt
Plaintext means that the passwords were unencrypted within the database. Just think of this as a shared file folder on your computer that a certain limited number of people can open – but once opened, they could see everything.
Security-minded firms usually have private data such as passwords encrypted or otherwise obscured in a “hashed and salted” system while it is stored internally. In this case, access to individual files is limited. And, even if the entire file is leaked – the data is unreadable.
“History has shown that the real problem is internal threat actors, like rogue employees, misusing the plain text passwords. Instead of trusting random employees at any organization, including Facebook, businesses have to prevent data leakage by securely storing passwords. How can consumers protect their accounts? Everyone should use unique and secure passwords for all accounts, preventing attackers from reusing stolen passwords on other accounts. Password managers are the right tools to create and store secure passwords across all accounts,” explained Matthias Ollig, CTO at Avira.
They say you should relax
Facebook thinks people should relax, but… As they stated: “we have found no evidence to date that anyone internally abused or improperly accessed them.” However, they will be notifying hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.
Something else to hit the revolving propeller
The bigger problem is that this is just another one in a string of Facebook security gaffes. Other recent issues have included sharing user private messages with advertisers and letting users be looked up by their phone numbers – defeating the principle of two-factor authentication. It’s enough to make you wonder if your own Facebook account has been hacked.
Can they really do security?
Even more, this comes as Facebook has announced a pivot to privacy – and signaled its intentions to combine its various messaging apps into a single structure. While they can probably do the physical merger of these apps, it still is a question if they are able and ready to handle the privacy part of their planned new equation.
Change your passwords – NOW!
Even if you did not get notified by Facebook you should chance your password – just in case. It’s easy, all you need to do is follow the below security tips:
- Use a unique password for each of your accounts. When a website gets hacked one of the first things bad guys do is checking out if your username/email address/password combination works on other (high-profile) pages.
- Your password should consist of at least twelve characters – the more the better. It should include upper- and lower-cases, numbers, and special characters.
- Try and create passwords that can’t be found in a dictionary. Hackers nowadays have programs that cycle through dictionaries to check if they can access your account.
- Don’t use character strings like 12345, abcde, qwertyui, etc.
- Use passwords that can’t be associated with you: Your dog’s name, birthday dates of family members or yourself or your favorite sport are a not a good idea.
- Change your password regularly – especially when it comes to your email and online banking/online payment accounts.
- Don’t write down your passwords and never ever share them.
If you have trouble coming up with a good, strong, and complex enough password, you can always use a good Password Manager to create one for you.