Risk
10/12/2010
05:57 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Facebook Introduces Disposable Passwords

Accessing Facebook from a public computer or Internet cafe can now be done more securely.

Moving to enhance online security, Facebook on Tuesday said that it will soon offer users the ability to receive one-time passwords on their mobile phones and that it has already enabled the ability to sign out of Facebook remotely.

"[W]e're launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports," said Facebook product manager Jake Brill in a blog post. "If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."

Passwords have long been considered the weak link in computer security, due to widespread disinterest in trying to remember passwords that are long enough and complicated enough to defy brute force attacks. Passwords that are too short or are based on words in dictionaries can generally be defeated by automated guessing attacks.

A survey released on Tuesday by Internet security company Webroot underscores the problems with passwords.

The company found that 47% of Facebook users, among the over 2,500 people surveyed, use their Facebook password for other online sites and 62% of Facebook users never change their passwords. It also found that only 16% of respondents bother to create passwords longer than 10 characters and that 41% of respondents have shared passwords with at least one person over the past year.

Facebook's decision to offer disposable passwords at least provides stronger security for those who want to make the effort. In a few weeks, as part of a gradual roll-out, Facebook users will be able to text "otp" to 32665 on a mobile phone and immediately receive a password that will work one time and will expire in 20 minutes.

This should help ensure that anyone shoulder-surfing while you log in to your Facebook account from a cafe won't be able spy your regular password and later hijack your account.

Facebook is also providing users with an overview of recent login activity under the Account Security section of their Account Settings page. This recent login list offers a way to see whether one's account has been accessed from an unexpected location. It also offers the ability to remotely close sessions that one may have forgotten to terminate, such as when one logs into Facebook through a friend's phone.

Facebook is not alone in addressing cloud security concerns. Google provides users with Gmail session activity information and last month added two-step verification to Google Apps Premiere, Government, and Education edition users.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.