Vulnerabilities / Threats
11/17/2013
09:06 AM
Connect Directly
RSS
E-Mail
50%
50%

Facebook Forces Some Users To Reset Passwords

Facebook is asking users whose passwords might have been exposed on other sites to change their passwords to access the social network.

10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)

Score one for the password police: multiple sites, including Facebook, have been forcing users to reset their passwords if they've reused their Facebook password for a site that suffered a data breach.

"Recently, there was a security incident on another website unrelated to Facebook," reads a warning message some users have recently been seeing when they try to access the social network. "Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.

"To secure your account, you'll need to answer a few questions and change your password. For your protection, no one can see you on Facebook until you finish," the warning adds.

[ Who is your biggest security threat? Read Think Hackers Are IT's Biggest Threat? Guess Again. ]

In recent days, sites such as Diapers.com and Soap.com have likewise warned some users that their passwords were reused on a site that recently suffered a breach, and must be reset.

"We actively look for situations where the accounts of people who use Facebook could be at risk -- even if the threat is external to our service," Facebook spokesman Jay Nancarrow told security reporter Brian Krebs. "When we find these situations, we present messages like the [above] to help affected people secure their accounts."

Reached via email, Nancarrow declined to detail the number of users that have seen Facebook's warning message.

The likely data breach victim behind all three sites' recent warning messages is Adobe, which last month warned that 3 million usernames and encrypted passwords had been stolen, and forced all users to reset their passwords. Subsequently, however, the company expanded its estimate of affected Adobe customers to 38 million.

What's the risk? Many people practice horrible password hygiene by reusing their password across multiple sites. Accordingly, if their username and password get stolen, an attacker can reuse those credentials to gain direct access to the person's account on another site.

Given the logistical challenge of maintaining different yet complex passwords for a range of different sites, security experts recommend that people employ a password manager. Not only can such tools keep passwords synchronized across multiple devices, but they can also generate strong, long, random and thus relatively complex and tough-to-crack passwords.

Still, user-selected complexity only goes so far. In the case of the Adobe breach, notably, the company let its users down by storing their passwords in a relatively insecure manner, according to an analysis of the stolen passwords published by security researcher Jeremi Gosney. He was able to quickly crack the "encrypted" passwords "thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB [electronic code book cipher] mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint."

Of the 130 million stolen passwords, 1.9 million were "123456." All told, 2.75% of Adobe's users had chosen one of the same five passwords, which also included "123456789," "password," "adobe123," and "12345678."

Ideally, security researchers -- and attackers -- wouldn't have been able to take encrypted passwords and reverse-engineer them into real passwords. On that front, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, has taken Adobe to task for "the scale of the blunder" behind the company's own poor password security practices. Just like LinkedIn, which last year lost 6.5 million users' passwords, Adobe failed to salt its passwords, and made some other dubious choices that have allowed almost every password to be recovered.

"Bear in mind that salted hashes -- the recommended programmatic approach here -- wouldn't have yielded up any such information, and you appreciate the magnitude of Adobe's blunder," he said.

"There's more to concern yourself with," added Ducklin. "Adobe also described the customer credit card data and other PII -- personally identifiable information -- that was stolen in the same attack as 'encrypted.'"

On the upside, however, some proactive companies are now mining stolen information to help their users. Facebook, for example, regularly obtains information on repeat-password offenders by watching the work of third-party researchers. "We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time," said Facebook security team member Chris Long via Krebs' site.

"We're proactive about finding sources of compromised passwords on the Internet," he said. "Through practice, we've become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts."

Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. The The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make it work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
dblake950
50%
50%
dblake950,
User Rank: Apprentice
11/17/2013 | 11:12:58 AM
Passwords
It's good that Facebook is being proactive, but judging by the increasingly regular announcements of massive breaches and easily cracked personal identifiers, the entire user password concept seems to be obsolete. Telling folks to install software to manage access to software seems the perfect indicator that things have gotten out of hand. What I'd really love to see is a company like Facebook driving the next great leap in personal digital identification--biometrics, voice activation--something requiring less drudgery on the part of the user. 
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
11/17/2013 | 2:04:27 PM
Re: Passwords
Yes and the technology behind biometrics etc has existed since quite some time, but I feel that before a platform like facebook makes biometric identification standard, banks and portals will have to take the lead, reason being that since not every computer is equip to handle biometric identification hence a social platform will want to maximize its user base and keep passwords as an option as well. Since 1.9 million people are using "123456" as their password, I guess 500 million people might just use passwords even if their computers and phones support biometrics.
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Apprentice
11/17/2013 | 3:56:31 PM
passwords are getting old
Hopefully, big companies will learn from Adobe's epic fail. Facebook is wisely being proactive about password protection. It must with such a massive user base. But the use of passwords in general is getting dated and insecure fast. It's time for a breakthrough in fingerprint recognition, voice recognition and other biometrics to identify users.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/17/2013 | 7:00:14 PM
password etiquette
I can see why people use the same password across multiple sites. There are just so many to keep track of. It's to bad that companies are so careless with their data and breaches take place. It has become expected today. As users need to be more secure and use different secure passwords businesses need to up their game as well.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/17/2013 | 7:06:33 PM
Re: passwords are getting old
@Shane... Great point. Passwords are getting old and some kind of biometrics is sorely needed. First we need to get fingerprint readers more commonplace whether they are hardware or software. Yes they are out there but they need to be standard.
Gary_EL
50%
50%
Gary_EL,
User Rank: Apprentice
11/17/2013 | 10:05:20 PM
Good example
Kudos to Facebook for protecting its users from errors made by other organizations. This is an exceptional example of great corporate citizenship.
Gary_EL
50%
50%
Gary_EL,
User Rank: Apprentice
11/17/2013 | 10:08:40 PM
Re: Passwords
I agree, Brian. If someone hacks my facebook account, I will owe explanations to my friends. If someone hacks my bank account, I'll owe explanations to the bank, my creditors, and perhaps even the IRS. It's easy to see what the first priority is.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
11/17/2013 | 10:34:32 PM
Re: passwords are getting old
I'm not convinced biometrics help that much. What's gained in convenience is lost in privacy. It's not that hard to come up with a strong password that can be remembered. I think it's worth the effort.
aditshar
50%
50%
aditshar,
User Rank: Apprentice
11/18/2013 | 6:25:41 AM
Re: passwords are getting old
I agree with Thomas here, biometrics may not help much here and keeping cost factor in mind it may absorb hell lot of money, other than this one good security practise i see these days is OTP, most of the banks and financial firms use this method as authentication process for end user which seems little hard to break if your mobile number is updated with bank.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2013 | 8:33:58 AM
Re: passwords are getting old
Count me in  on the "passwords are getting old" camp for all the reasons mentioned by others in this thread. As for biometrics, I think we're going to see a lot more -- and better biometrics -- in use in short order as the technology matures and gets cheaper. Apples iPhone5s kerfuffle notwithstandig, its incorporation into a mainstream product speaks volumes. On a personal level, I will happily throw away all the passwords I've jotted on sticky notes, (at least those that I can find) and trade in a little privacy for the convenience of a fingerprint reader. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.