Facebook Forces Some Users To Reset Passwords

  /     /     /  
Publicated : 22/11/2024   Category : security


Facebook Forces Some Users To Reset Passwords


Facebook is asking users whose passwords may have been exposed on others sites to change passwords to access the social website.



10 Facebook Features To Help You Get Ahead (click image for larger view)
Score one for the password police: multiple sites, including Facebook, have been forcing users to reset their passwords if theyve reused their Facebook password for a site that suffered a data breach.
Recently, there was a security incident on another website unrelated to Facebook, reads a warning message some users have recently been seeing when they try to access the social network. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.
To secure your account, youll need to answer a few questions and change your password. For your protection, no one can see you on Facebook until you finish, the warning adds.
[ Who is your biggest security threat? Read
Think Hackers Are ITs Biggest Threat? Guess Again
. ]
In recent days, sites such as Diapers.com and Soap.com have likewise warned some users that their passwords were reused on a site that recently suffered a breach, and must be reset.
We actively look for situations where the accounts of people who use Facebook could be at risk -- even if the threat is external to our service, Facebook spokesman Jay Nancarrow
told security reporter Brian Krebs
. When we find these situations, we present messages like the [above] to help affected people secure their accounts.
Reached via email, Nancarrow declined to detail the number of users that have seen Facebooks warning message.
The likely data breach victim behind all three sites recent warning messages is
Adobe
, which last month warned that 3 million usernames and encrypted passwords had been stolen, and forced all users to reset their passwords. Subsequently, however, the company expanded its estimate of affected Adobe customers to 38 million.
Whats the risk? Many people
practice horrible password hygiene
by reusing their password across multiple sites. Accordingly, if their username and password get stolen, an attacker can reuse those credentials to gain direct access to the persons account on another site.
Given the logistical challenge of maintaining different yet complex passwords for a range of different sites, security experts recommend that people employ a
password manager
. Not only can such tools keep passwords synchronized across multiple devices, but they can also generate strong, long, random and thus relatively complex and tough-to-crack passwords.
Still, user-selected complexity only goes so far. In the case of the Adobe breach, notably, the company let its users down by storing their passwords in a relatively insecure manner, according to an
analysis of the stolen passwords
published by security researcher Jeremi Gosney. He was able to quickly crack the encrypted passwords thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB [electronic code book cipher] mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint.
Of the 130 million stolen passwords, 1.9 million were 123456. All told, 2.75% of Adobes users had chosen one of the same five passwords, which also included 123456789, password, adobe123, and 12345678.
Ideally, security researchers -- and attackers -- wouldnt have been able to take encrypted passwords and reverse-engineer them into real passwords. On that front, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, has taken Adobe to task for the scale of the blunder behind the companys own poor password security practices. Just like LinkedIn, which last year lost 6.5 million users passwords, Adobe failed to salt its passwords, and made some other dubious choices that have allowed almost every password to be recovered.
Bear in mind that salted hashes -- the recommended programmatic approach here -- wouldnt have yielded up any such information, and you appreciate the magnitude of Adobes blunder, he said.
Theres more to concern yourself with, added Ducklin. Adobe also described the customer credit card data and other PII -- personally identifiable information -- that was stolen in the same attack as encrypted.
On the upside, however, some proactive companies are now mining stolen information to help their users. Facebook, for example, regularly obtains information on repeat-password offenders by watching the work of third-party researchers. We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time, said Facebook security team member Chris Long via Krebs site.
Were proactive about finding sources of compromised passwords on the Internet, he said. Through practice, weve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Facebook Forces Some Users To Reset Passwords