Vulnerabilities / Threats
11/13/2013
11:23 AM
Connect Directly
RSS
E-Mail
100%
0%
Repost This

Facebook Forces Some Users To Reset Passwords

Facebook is asking users whose passwords may have been exposed on others sites to change passwords to access the social website.

10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)
Score one for the password police: multiple sites, including Facebook, have been forcing users to reset their passwords if they've reused their Facebook password for a site that suffered a data breach.

"Recently, there was a security incident on another website unrelated to Facebook," reads a warning message some users have recently been seeing when they try to access the social network. "Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.

"To secure your account, you'll need to answer a few questions and change your password. For your protection, no one can see you on Facebook until you finish," the warning adds.

[ Who is your biggest security threat? Read Think Hackers Are IT's Biggest Threat? Guess Again. ]

In recent days, sites such as Diapers.com and Soap.com have likewise warned some users that their passwords were reused on a site that recently suffered a breach, and must be reset.

"We actively look for situations where the accounts of people who use Facebook could be at risk -- even if the threat is external to our service," Facebook spokesman Jay Nancarrow told security reporter Brian Krebs. "When we find these situations, we present messages like the [above] to help affected people secure their accounts."

Reached via email, Nancarrow declined to detail the number of users that have seen Facebook's warning message.

The likely data breach victim behind all three sites' recent warning messages is Adobe, which last month warned that 3 million usernames and encrypted passwords had been stolen, and forced all users to reset their passwords. Subsequently, however, the company expanded its estimate of affected Adobe customers to 38 million.

What's the risk? Many people practice horrible password hygiene by reusing their password across multiple sites. Accordingly, if their username and password get stolen, an attacker can reuse those credentials to gain direct access to the person's account on another site.

Given the logistical challenge of maintaining different yet complex passwords for a range of different sites, security experts recommend that people employ a password manager. Not only can such tools keep passwords synchronized across multiple devices, but they can also generate strong, long, random and thus relatively complex and tough-to-crack passwords.

Still, user-selected complexity only goes so far. In the case of the Adobe breach, notably, the company let its users down by storing their passwords in a relatively insecure manner, according to an analysis of the stolen passwords published by security researcher Jeremi Gosney. He was able to quickly crack the "encrypted" passwords "thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB [electronic code book cipher] mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint."

Of the 130 million stolen passwords, 1.9 million were "123456." All told, 2.75% of Adobe's users had chosen one of the same five passwords, which also included "123456789," "password," "adobe123," and "12345678."

Ideally, security researchers -- and attackers -- wouldn't have been able to take encrypted passwords and reverse-engineer them into real passwords. On that front, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, has taken Adobe to task for "the scale of the blunder" behind the company's own poor password security practices. Just like LinkedIn, which last year lost 6.5 million users' passwords, Adobe failed to salt its passwords, and made some other dubious choices that have allowed almost every password to be recovered.

"Bear in mind that salted hashes -- the recommended programmatic approach here -- wouldn't have yielded up any such information, and you appreciate the magnitude of Adobe's blunder," he said.

"There's more to concern yourself with," added Ducklin. "Adobe also described the customer credit card data and other PII -- personally identifiable information -- that was stolen in the same attack as 'encrypted.'"

On the upside, however, some proactive companies are now mining stolen information to help their users. Facebook, for example, regularly obtains information on repeat-password offenders by watching the work of third-party researchers. "We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time," said Facebook security team member Chris Long via Krebs' site.

"We're proactive about finding sources of compromised passwords on the Internet," he said. "Through practice, we've become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly22
100%
0%
Kelly22,
User Rank: Apprentice
11/14/2013 | 9:59:33 PM
re: Facebook Forces Some Users To Reset Passwords
After reading this article, and the other recent IW story on the MacRumors hacker, I'll be taking a few tips from this slideshow. I feel like I'm always resetting passwords because I can't remember them all, with each having X amount of capital letters, numbers, and symbols. Thanks for pointing this out!
Mathew
50%
50%
Mathew,
User Rank: Apprentice
11/14/2013 | 5:38:31 PM
re: Facebook Forces Some Users To Reset Passwords
Password safes are a "must have." You can find a product that offers the right sync permutations (PC, Mac, Unix, iOS, Android, online) to always have your passwords, PIN codes and other what-not to hand.
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
11/14/2013 | 3:32:27 PM
re: Facebook Forces Some Users To Reset Passwords
I've got to say, these sites have been very forthcoming with these data breaches - probably because they can point the finger of blame elsewhere - but it's somehow comforting to know they would say something instead of sweeping it under the rug.
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
11/14/2013 | 3:31:31 PM
re: Facebook Forces Some Users To Reset Passwords
Oh thank you! I have been looking for a list like this for a while. At some point, convenience greatly outweighs security. There's a tipping point I've reached where I simply cannot remember another un/pw combo.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Strategist
11/13/2013 | 9:22:55 PM
re: Facebook Forces Some Users To Reset Passwords
See our story from May:

http://www.informationweek.com...
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
11/13/2013 | 6:03:26 PM
re: Facebook Forces Some Users To Reset Passwords
So, who uses password managers? Like? Which is best?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web