How Facebook Finds Out If Your Passwords Were Stolen

Some of the largest companies around the world have been dealing with security breaches over the last couple of years. Making matters worse, people often use the same e-mail address and password combinations on multiple websites. Consequently, attackers have been able to successfully use some of the stolen login credentials to log into multiple websites associated with the victim, including Facebook, Google GOOGL +2.27%, Dropbox, Twitter TWTR +1.87%, Instagram and Snapchat. Fortunately, Facebook has a way of warning users if their passwords were stolen.
Facebook security engineer Chris Long said that the social network specifically looks at websites where hackers leak e-mail addresses and passwords. Facebook built a tool that actively looks for public postings on websites like Pastebin.com containing login credentials and notifies account owners if their information has been compromised. In the notification, Facebook guides those users with a tutorial on how to change their password. “This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time,” said Long in a recent blog post entitled Keeping Passwords Secure.
Once the data is downloaded and parsed, the automated system checks each of them against Facebook’s internal databases to see if any of the leaked e-mails and passwords matches valid login information on Facebook. Facebook stores passwords as hashes in its own database so it has to hash the leaked credentials first and compare them. Facebook uses hashing as a way to verify whether the input matches the stored hash value without actually deciphering the text, including passwords, credit card details, etc.
Facebook suggested a couple of ways to take extra precaution in protecting your login credentials. The first suggestion is to set up two-factor authentication, which requires you to enter a security code from your phone when you log in from a new browser. And the second suggestion is to use Facebook Login when you use third-party websites and apps so you do not have to remember separate usernames and passwords.
Facebook Login
Credit: Facebook
Facebook started tracking public postings of leaked login credentials ever since Adobe announced its servers were hacked in October 2013, exploiting millions of usernames and passwords. Facebook compared the login credentials between its own users and Adobe. For security purposes, Facebook hid the profiles of users with the same credentials as Adobe. Here is the warning that Facebook showed users that were exploited by the Adobe hack (h/t KrebsOnSecurity):
Credit: Krebs On Security
Credit: Krebs On Security
What are some other ways to remain proactive in terms of password security? I recommend changing your password every time there is news about a major security breach. Generally, I change my password five to six times per year. The website IsLeaked.com can check to see if your e-mail address has been leaked on ‘paste’ sites as well.
What are your thoughts about Facebook’s method for finding out if your password is stolen? Let us know in the comments below!

No comments: