Vulnerabilities / Threats
11/13/2013
11:23 AM
Connect Directly
RSS
E-Mail
100%
0%

Facebook Forces Some Users To Reset Passwords

Facebook is asking users whose passwords may have been exposed on others sites to change passwords to access the social website.

10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)
Score one for the password police: multiple sites, including Facebook, have been forcing users to reset their passwords if they've reused their Facebook password for a site that suffered a data breach.

"Recently, there was a security incident on another website unrelated to Facebook," reads a warning message some users have recently been seeing when they try to access the social network. "Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.

"To secure your account, you'll need to answer a few questions and change your password. For your protection, no one can see you on Facebook until you finish," the warning adds.

[ Who is your biggest security threat? Read Think Hackers Are IT's Biggest Threat? Guess Again. ]

In recent days, sites such as Diapers.com and Soap.com have likewise warned some users that their passwords were reused on a site that recently suffered a breach, and must be reset.

"We actively look for situations where the accounts of people who use Facebook could be at risk -- even if the threat is external to our service," Facebook spokesman Jay Nancarrow told security reporter Brian Krebs. "When we find these situations, we present messages like the [above] to help affected people secure their accounts."

Reached via email, Nancarrow declined to detail the number of users that have seen Facebook's warning message.

The likely data breach victim behind all three sites' recent warning messages is Adobe, which last month warned that 3 million usernames and encrypted passwords had been stolen, and forced all users to reset their passwords. Subsequently, however, the company expanded its estimate of affected Adobe customers to 38 million.

What's the risk? Many people practice horrible password hygiene by reusing their password across multiple sites. Accordingly, if their username and password get stolen, an attacker can reuse those credentials to gain direct access to the person's account on another site.

Given the logistical challenge of maintaining different yet complex passwords for a range of different sites, security experts recommend that people employ a password manager. Not only can such tools keep passwords synchronized across multiple devices, but they can also generate strong, long, random and thus relatively complex and tough-to-crack passwords.

Still, user-selected complexity only goes so far. In the case of the Adobe breach, notably, the company let its users down by storing their passwords in a relatively insecure manner, according to an analysis of the stolen passwords published by security researcher Jeremi Gosney. He was able to quickly crack the "encrypted" passwords "thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB [electronic code book cipher] mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint."

Of the 130 million stolen passwords, 1.9 million were "123456." All told, 2.75% of Adobe's users had chosen one of the same five passwords, which also included "123456789," "password," "adobe123," and "12345678."

Ideally, security researchers -- and attackers -- wouldn't have been able to take encrypted passwords and reverse-engineer them into real passwords. On that front, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, has taken Adobe to task for "the scale of the blunder" behind the company's own poor password security practices. Just like LinkedIn, which last year lost 6.5 million users' passwords, Adobe failed to salt its passwords, and made some other dubious choices that have allowed almost every password to be recovered.

"Bear in mind that salted hashes -- the recommended programmatic approach here -- wouldn't have yielded up any such information, and you appreciate the magnitude of Adobe's blunder," he said.

"There's more to concern yourself with," added Ducklin. "Adobe also described the customer credit card data and other PII -- personally identifiable information -- that was stolen in the same attack as 'encrypted.'"

On the upside, however, some proactive companies are now mining stolen information to help their users. Facebook, for example, regularly obtains information on repeat-password offenders by watching the work of third-party researchers. "We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time," said Facebook security team member Chris Long via Krebs' site.

"We're proactive about finding sources of compromised passwords on the Internet," he said. "Through practice, we've become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly22
100%
0%
Kelly22,
User Rank: Apprentice
11/14/2013 | 9:59:33 PM
re: Facebook Forces Some Users To Reset Passwords
After reading this article, and the other recent IW story on the MacRumors hacker, I'll be taking a few tips from this slideshow. I feel like I'm always resetting passwords because I can't remember them all, with each having X amount of capital letters, numbers, and symbols. Thanks for pointing this out!
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/14/2013 | 5:38:31 PM
re: Facebook Forces Some Users To Reset Passwords
Password safes are a "must have." You can find a product that offers the right sync permutations (PC, Mac, Unix, iOS, Android, online) to always have your passwords, PIN codes and other what-not to hand.
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
11/14/2013 | 3:32:27 PM
re: Facebook Forces Some Users To Reset Passwords
I've got to say, these sites have been very forthcoming with these data breaches - probably because they can point the finger of blame elsewhere - but it's somehow comforting to know they would say something instead of sweeping it under the rug.
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
11/14/2013 | 3:31:31 PM
re: Facebook Forces Some Users To Reset Passwords
Oh thank you! I have been looking for a list like this for a while. At some point, convenience greatly outweighs security. There's a tipping point I've reached where I simply cannot remember another un/pw combo.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
11/13/2013 | 9:22:55 PM
re: Facebook Forces Some Users To Reset Passwords
See our story from May:

http://www.informationweek.com...
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
11/13/2013 | 6:03:26 PM
re: Facebook Forces Some Users To Reset Passwords
So, who uses password managers? Like? Which is best?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.