Facebook buys black market passwords to keep your account safe

Published: Nov. 10, 2016 at 9:01 PM CST
Email This Link
Share on Pinterest
Share on LinkedIn

For a data-saturated company of its size and scope, Facebook has markedly managed to avoid the kind of security scandals, breaches and hacks that have affected many other major web companies.

Take a closer look, and you’ll see why. Though on the surface all seems calm, below the waves the social network is kicking its legs frantically and working around the clock to keep users’ accounts safe.

Keeping Facebook safe and keeping it secure are two different things, the social network’s chief security officer, Alex Stamos, said Wednesday at Web Summit in Lisbon. Security is about building walls to keep out threats and shore up defenses, but according to Stamos, safety is bigger than that.

“It turns out that we can build perfectly secure software and yet people can still get hurt,” he said.

Stamos came to Facebook in summer 2015 from Yahoo and now leads a team at the social network that tries to get ahead of hackers and other threats and head off trouble before it strikes. The biggest headache he deals with is caused by the humble password.

“The reuse of passwords is the No. 1 cause of harm on the internet,” said the security chief.

When passwords are stolen en masse and traded on the black market, it becomes apparent just how many of them are the same -- “123456” and its consecutive numerical brethren are the main culprits. If you’re using one of these passwords, that automatically makes your account more vulnerable to being compromised. This is something Facebook is keen to help you avoid.

To check that Facebook members are not choosing these commonly used passwords for their accounts, Stamos revealed, the social network buys passwords hackers are selling on the black market and cross-references them with encrypted passwords used on the site. He described the task as “computationally heavy” but said that as a result of the exercise Facebook has been able to alert tens of millions of users that their passwords needed changing because they weren’t strong enough.

Facebook provides a whole bunch of tools for users to make the security on an account nice and tight, ranging from traditional two-factor authentication to identifying faces of friends. But for Stamos, this is only part of the solution when it comes to keeping people safe.

“Even though we provide these options, it is our responsibility to think about those people that choose not to use them,” he said.

One way the company does this is to apply machine learning algorithms to Facebook’s social graph to establish whether activity on your account is fraudulent. Another concept currently in the works tackles the problem of account recovery. If hackers find their way into your email, it’s easy for them to seize your Facebook account too, by choosing the password reset option. Instead, Facebook wants people to allow their close friends to verify an account-recovery request on their behalf.

“Usernames and passwords are an idea that come out of 1970s mainframe architectures,” said Stamos. “They were not built for 2016.”