Risk
10/12/2010
05:57 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Introduces Disposable Passwords

Accessing Facebook from a public computer or Internet cafe can now be done more securely.

Moving to enhance online security, Facebook on Tuesday said that it will soon offer users the ability to receive one-time passwords on their mobile phones and that it has already enabled the ability to sign out of Facebook remotely.

"[W]e're launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports," said Facebook product manager Jake Brill in a blog post. "If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."

Passwords have long been considered the weak link in computer security, due to widespread disinterest in trying to remember passwords that are long enough and complicated enough to defy brute force attacks. Passwords that are too short or are based on words in dictionaries can generally be defeated by automated guessing attacks.

A survey released on Tuesday by Internet security company Webroot underscores the problems with passwords.

The company found that 47% of Facebook users, among the over 2,500 people surveyed, use their Facebook password for other online sites and 62% of Facebook users never change their passwords. It also found that only 16% of respondents bother to create passwords longer than 10 characters and that 41% of respondents have shared passwords with at least one person over the past year.

Facebook's decision to offer disposable passwords at least provides stronger security for those who want to make the effort. In a few weeks, as part of a gradual roll-out, Facebook users will be able to text "otp" to 32665 on a mobile phone and immediately receive a password that will work one time and will expire in 20 minutes.

This should help ensure that anyone shoulder-surfing while you log in to your Facebook account from a cafe won't be able spy your regular password and later hijack your account.

Facebook is also providing users with an overview of recent login activity under the Account Security section of their Account Settings page. This recent login list offers a way to see whether one's account has been accessed from an unexpected location. It also offers the ability to remotely close sessions that one may have forgotten to terminate, such as when one logs into Facebook through a friend's phone.

Facebook is not alone in addressing cloud security concerns. Google provides users with Gmail session activity information and last month added two-step verification to Google Apps Premiere, Government, and Education edition users.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio