By Amit Chowdhry
Some of the largest companies around the world have been dealing with security breaches over the last couple of years. Making matters worse, people often use the same e-mail address and password combinations on multiple websites. Consequently, attackers have been able to successfully use some of the stolen login credentials to log into multiple websites associated with the victim, including Facebook, Google, Dropbox, Twitter, Instagram and Snapchat. Fortunately, Facebook has a way of warning users if their passwords were stolen.
Facebook security engineer Chris Long said that the social network specifically looks at websites where hackers leak e-mail addresses and passwords. Facebook built a tool that actively looks for public postings on websites like Pastebin.com containing login credentials and notifies account owners if their information has been compromised. In the notification, Facebook guides those users with a tutorial on how to change their password. “This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time,” said Long in a recent blog post entitled Keeping Passwords Secure.
Once the data is downloaded and parsed, the automated system checks each of them against Facebook’s internal databases to see if any of the leaked e-mails and passwords matches valid login information on Facebook. Facebook stores passwords as hashes in its own database so it has to hash the leaked credentials first and compare them. Facebook uses hashing as a way to verify whether the input matches the stored hash value without actually deciphering the text, including passwords, credit card details, etc.
Facebook suggested a couple of ways to take extra precaution in protecting your login credentials. The first suggestion is to set up two-factor authentication, which requires you to enter a security code from your phone when you log in from a new browser. And the second suggestion is to use Facebook Login when you use third-party websites and apps so you do not have to remember separate usernames and passwords.
Facebook started tracking public postings of leaked login credentials ever since Adobe announced its servers were hacked in October 2013, exploiting millions of usernames and passwords. Facebook compared the login credentials between its own users and Adobe. For security purposes, Facebook hid the profiles of users with the same credentials as Adobe. Here is the warning that Facebook showed users that were exploited by the Adobe hack (h/t KrebsOnSecurity):
What are some other ways to remain proactive in terms of password security? I recommend changing your password every time there is news about a major security breach. Generally, I change my password five to six times per year. The website IsLeaked.com can check to see if your e-mail address has been leaked on ‘paste’ sites as well.
Roots In The Military. Relevant To All.
American Military University (AMU) is proud to be the #1 provider of higher education to the U.S. military, based on FY 2018 DoD tuition assistance data, as reported by Military Times, 2019. At AMU, you’ll find instructors who are former leaders in the military, national security, and the public sector who bring their field-tested skills and strategies into the online classroom. And we work to keep our curriculum and content relevant to help you stay ahead of industry trends. Join the 64,000 U.S. military men and women earning degrees at American Military University.