These days, pilfered logins are falling like autumn leaves (only last week it emerged that thousands of Dropbox logins had been stolen from a third-party service for example.)
Crooks will often try to increase their bounty by testing out the credentials they've captured on other websites.
If users have reused their passwords on sites like Twitter and
Facebook then the crooks can access those accounts too and then either
exploit or sell them.
The problem is so serious that Facebook have revealed that they're
actually watching for news of big breaches, raking up as many
password/username combinations posted by crooks online that it can find,
and sifting through them to see if they can be used to unlock Facebook
accounts.
If Facebook does find a match, it notifies the affected user. The
next time he or she logs in, Facebook guides them through the process of
changing their password.
In an official blog post,
Facebook security engineer Chris Long on Friday described the system
the company has built to search sites where stolen credentials tend to
wind up.
From the post:
Unfortunately, it's common for attackers to publicly post the email addresses and passwords they steal on public 'paste' sites.
Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public lists, and responding to these situations is time-consuming and challenging.
No worries: Facebook's doing a good thing and it's doing it without
putting your passwords at risk by storing them in plain text.
As Long explained, what Facebook looks for on the paste sites are
stolen email/password combinations. The stolen credentials are then run
through the same code Facebook uses to check people's passwords when
they log in.
When you log in to Facebook an algorithm turns your password into a salted hash.
That hash is compared with one that Facebook has on record for your
account. If the hashes match then Facebook knows that you've supplied
the right password.
Two identical passwords put through the same hashing algorithm will
produce identical hashes but, crucially, those hashes cannot be
'decrypted' back into the passwords that created them. So storing hashes
derived from passwords is about the safest way to store user
credentials.
Facebook has simply adapted the way it handles logins to test
credentials leaked from breaches. Here are the details of how that
works:
- Once Facebook finds a set of stolen credentials, it passes the data into a program that parses it into a standardized format.
- After the data has been downloaded and parsed, an automated system checks each set of stolen credentials against the Facebook internal databases to see if any of the email addresses and hashed passwords match valid login information on Facebook. Each password is hashed using its internal password hashing algorithm and the unique salt for a given user. Since Facebook stores passwords securely as hashes, Long stressed, it can't simply compare a password directly to the database. First, the company needs to hash it, then compare the hashes.
- If the email and hash combination doesn't match, Facebook doesn't take any action. A mismatch indicates that the stolen password is different than the password a user has employed on Facebook, and therefore an attacker wouldn't be able to use that password to access the user's Facebook account.
- If the email address and hash combination does match, the user will be notified the next time that he or she uses Facebook. They'll be guided through a process to change their password, which will invalidate the stolen password and help protect the user's Facebook account.
Long didn't specify what parts of the system might be new, but the basic idea, at least, goes back some time.
For example, in November 2013, Facebook suspended user accounts
in the wake of the mega Adobe breach, basically locking any accounts
that used the same login credentials on Adobe and Facebook in a closet
until users cooked up a new password.
Facebook's watching out for password reuse in this way isn't Big
Brother-ish. It's actually quite Good Brother-ish. They're working to
protect password reusers from themselves, and that's a good thing.
But that's no excuse to reuse passwords. Facebook's protecting its
users' Facebook accounts from being hijacked, but that's certainly not
going to stop a crook from reusing stolen credentials on whatever other
sites they're being used on: a Gmail account? A bank account? Twitter?
All of the above?
With password reuse, a thief who gets hold of one set of credentials has gotten hold of all the accounts.
To assure that burglars can't break into every room in your internet
house, we all should be following the simple rule: One Site, One
Password.
We can't rely on Facebook to cover us outside of Facebook, but we can
sure try to trip up crooks by coming up with unique, complex passwords:
one for every room of your internet house.
0 comments:
Post a Comment