Any given week, I find myself writing about yet another security breach in which usernames and passwords are at risk. The risk isn’t always limited to just the breached site either, as there are multiple examples of breaches in one location leading to attacks in another. It’s a situation that Facebook understands well, and it is now taking proactive measures to defend its own users.
One example of a breach with collateral damage is the Google exploit of 5 million accounts back in September. Google claimed that its servers were not in fact breached, but another third-party site was, which led to the leak. Google had to reset 100,000 user accounts as a result. The popular WordPress.com blogging platform also had to reset 100,000 user passwords in the wake of the Google account leak. WordPress users apparently had reused passwords.
Last week, online file sharing service Dropbox had a similar incident, with hackers alleging a breach that Dropbox denied. Again, the likely root cause of the breach was a third-party site—and password reuse by users.
More often than not, attackers will dump their breached password lists online (typically to Pastebin), making it easy for anyone to scan and use. While those password lists can potentially be used to exploit users, Facebook is using those online user credential dumps to secure its users.
“We built a system dedicated to further securing people’s Facebook accounts by actively looking for these public postings, analyzing them, and then notifying people when we discover that their credentials have shown up elsewhere on the Internet,” Facebook Security Engineer Chris Long wrote in a Facebook note.
That sure seem like an obvious idea to me. Rather than wait for bad things to happen to its users, Facebook is taking a proactive stance with this password effort. If Facebook does as promised, users could be protected from data breaches that they aren’t even aware of.
Given the volume of password breaches that are reported and Facebook’s massive user base, the task of correlating breached credentials with valid Facebook users is nontrivial. What Facebook has done is create an automated system that checks leaked credentials against its own internal user databases. Facebook doesn’t store its own users’ passwords in some form of clear text format, but rather uses a hashing algorithm.
“Since Facebook stores passwords securely as hashes, we can’t simply compare a password directly to the database,” Long wrote. “We need to hash it first and compare the hashes.”
As is the case with Google, Facebook has a particular responsibility for its user credentials that goes beyond just access to facebook.com. Both Google and Facebook access credentials can also be used to log onto other sites and services.
By re-emphasizing its focus on username/password security here, Facebook is making a wider case for the use of its Facebook Login technology that is used to securely access other sites. After all, if users know and trust that Facebook is going that extra mile to help them secure their access information, they just might be more likely to use Facebook Login in the first place.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.