These days, pilfered logins are falling like autumn leaves (only last week it emerged that thousands of Dropbox logins had been stolen from a third-party service, for example.)
Crooks will often try to increase their bounty by testing out the credentials they’ve captured on other websites.
If users have reused their passwords on sites like Twitter and Facebook, the crooks can access those accounts, too, and either exploit or sell them.
The problem is so serious that Facebook has revealed that it’s actually watching for news of big breaches, raking up as many password/username combinations posted by crooks online that it can find, and sifting through them to see if they can be used to unlock Facebook accounts.
If Facebook does find a match, it notifies the affected user. The next time he or she logs in, Facebook guides them through the process of changing their password.
In an official blog post, Facebook security engineer Chris Long on Friday described the system the company has built to search sites where stolen credentials tend to wind up.
From the post:
Unfortunately, it's common for attackers to publicly post the email addresses and passwords they steal on public 'paste' sites.
Lots of household company names have experienced the unpleasant phenomenon of seeing account data for their sites show up in these public lists, and responding to these situations is time-consuming and challenging.
No worries: Facebook’s doing a good thing and it’s doing it without putting your passwords at risk by storing them in plain text.
As Long explained, what Facebook looks for on the paste sites are stolen email/password combinations. The stolen credentials are then run through the same code Facebook uses to check people’s passwords when they log in.
When you log in to Facebook an algorithm turns your password into a salted hash. That hash is compared with one that Facebook has on record for your account. If the hashes match then Facebook knows that you’ve supplied the right password.
Two identical passwords put through the same hashing algorithm will produce identical hashes but, crucially, those hashes cannot be ‘decrypted’ back into the passwords that created them. So storing hashes derived from passwords is about the safest way to store user credentials.
Facebook has simply adapted the way it handles logins to test credentials leaked from breaches. Here are the details of how that works:
- Once Facebook finds a set of stolen credentials, it passes the data into a program that parses it into a standardized format.
- After the data has been downloaded and parsed, an automated system checks each set of stolen credentials against the Facebook internal databases to see if any of the email addresses and hashed passwords match valid login information on Facebook. Each password is hashed using its internal password hashing algorithm and the unique salt for a given user. Since Facebook stores passwords securely as hashes, Long stressed, it can’t simply compare a password directly to the database. First, the company needs to hash it, then compare the hashes.
- If the email and hash combination doesn’t match, Facebook doesn’t take any action. A mismatch indicates that the stolen password is different than the password a user has employed on Facebook, and therefore an attacker wouldn’t be able to use that password to access the user’s Facebook account.
- If the email address and hash combination does match, the user will be notified the next time that he or she uses Facebook. They’ll be guided through a process to change their password, which will invalidate the stolen password and help protect the user’s Facebook account.
Long didn’t specify what parts of the system might be new, but the basic idea, at least, goes back some time.
For example, in November 2013, Facebook suspended user accounts in the wake of the mega Adobe breach, basically locking any accounts that used the same login credentials on Adobe and Facebook in a closet until users cooked up a new password.
Facebook’s watching out for password reuse in this way isn’t Big Brother-ish. It’s actually quite Good Brother-ish. They’re working to protect password reusers from themselves, and that’s a good thing.
But that’s no excuse to reuse passwords. Facebook’s protecting its users’ Facebook accounts from being hijacked, but that’s certainly not going to stop a crook from reusing stolen credentials on whatever other sites they’re being used on: a Gmail account? A bank account? Twitter? All of the above?
With password reuse, a thief who gets hold of one set of credentials has gotten hold of all the accounts.
To assure that burglars can’t break into every room in your internet house, we all should be following the simple rule: One Site, One Password.
To hear more password rules and regulations, including a drill-down on password reuse, you might want to check out this Sophos Techknow podcast entitled Busting Password Myths.
We can’t rely on Facebook to cover us outside of Facebook, but we can sure try to trip up crooks by coming up with unique, complex passwords: one for every room of your internet house.Follow @NakedSecurity