05:57 PM
Connect Directly

Facebook Introduces Disposable Passwords

Accessing Facebook from a public computer or Internet cafe can now be done more securely.

Moving to enhance online security, Facebook on Tuesday said that it will soon offer users the ability to receive one-time passwords on their mobile phones and that it has already enabled the ability to sign out of Facebook remotely.

"[W]e're launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports," said Facebook product manager Jake Brill in a blog post. "If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."

Passwords have long been considered the weak link in computer security, due to widespread disinterest in trying to remember passwords that are long enough and complicated enough to defy brute force attacks. Passwords that are too short or are based on words in dictionaries can generally be defeated by automated guessing attacks.

A survey released on Tuesday by Internet security company Webroot underscores the problems with passwords.

The company found that 47% of Facebook users, among the over 2,500 people surveyed, use their Facebook password for other online sites and 62% of Facebook users never change their passwords. It also found that only 16% of respondents bother to create passwords longer than 10 characters and that 41% of respondents have shared passwords with at least one person over the past year.

Facebook's decision to offer disposable passwords at least provides stronger security for those who want to make the effort. In a few weeks, as part of a gradual roll-out, Facebook users will be able to text "otp" to 32665 on a mobile phone and immediately receive a password that will work one time and will expire in 20 minutes.

This should help ensure that anyone shoulder-surfing while you log in to your Facebook account from a cafe won't be able spy your regular password and later hijack your account.

Facebook is also providing users with an overview of recent login activity under the Account Security section of their Account Settings page. This recent login list offers a way to see whether one's account has been accessed from an unexpected location. It also offers the ability to remotely close sessions that one may have forgotten to terminate, such as when one logs into Facebook through a friend's phone.

Facebook is not alone in addressing cloud security concerns. Google provides users with Gmail session activity information and last month added two-step verification to Google Apps Premiere, Government, and Education edition users.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.