"[W]e're launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports," said Facebook product manager Jake Brill in a blog post. "If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."
Passwords have long been considered the weak link in computer security, due to widespread disinterest in trying to remember passwords that are long enough and complicated enough to defy brute force attacks. Passwords that are too short or are based on words in dictionaries can generally be defeated by automated guessing attacks.
A survey released on Tuesday by Internet security company Webroot underscores the problems with passwords.
The company found that 47% of Facebook users, among the over 2,500 people surveyed, use their Facebook password for other online sites and 62% of Facebook users never change their passwords. It also found that only 16% of respondents bother to create passwords longer than 10 characters and that 41% of respondents have shared passwords with at least one person over the past year.
Facebook's decision to offer disposable passwords at least provides stronger security for those who want to make the effort. In a few weeks, as part of a gradual roll-out, Facebook users will be able to text "otp" to 32665 on a mobile phone and immediately receive a password that will work one time and will expire in 20 minutes.
This should help ensure that anyone shoulder-surfing while you log in to your Facebook account from a cafe won't be able spy your regular password and later hijack your account.
Facebook is also providing users with an overview of recent login activity under the Account Security section of their Account Settings page. This recent login list offers a way to see whether one's account has been accessed from an unexpected location. It also offers the ability to remotely close sessions that one may have forgotten to terminate, such as when one logs into Facebook through a friend's phone.
Facebook is not alone in addressing cloud security concerns. Google provides users with Gmail session activity information and last month added two-step verification to Google Apps Premiere, Government, and Education edition users.