Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Facebook Forces Some Users To Reset Passwords

Facebook is asking users whose passwords might have been exposed on other sites to change their passwords to access the social network.

10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)

Score one for the password police: multiple sites, including Facebook, have been forcing users to reset their passwords if they've reused their Facebook password for a site that suffered a data breach.

"Recently, there was a security incident on another website unrelated to Facebook," reads a warning message some users have recently been seeing when they try to access the social network. "Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.

"To secure your account, you'll need to answer a few questions and change your password. For your protection, no one can see you on Facebook until you finish," the warning adds.

[ Who is your biggest security threat? Read Think Hackers Are IT's Biggest Threat? Guess Again. ]

In recent days, sites such as Diapers.com and Soap.com have likewise warned some users that their passwords were reused on a site that recently suffered a breach, and must be reset.

"We actively look for situations where the accounts of people who use Facebook could be at risk -- even if the threat is external to our service," Facebook spokesman Jay Nancarrow told security reporter Brian Krebs. "When we find these situations, we present messages like the [above] to help affected people secure their accounts."

Reached via email, Nancarrow declined to detail the number of users that have seen Facebook's warning message.

The likely data breach victim behind all three sites' recent warning messages is Adobe, which last month warned that 3 million usernames and encrypted passwords had been stolen, and forced all users to reset their passwords. Subsequently, however, the company expanded its estimate of affected Adobe customers to 38 million.

What's the risk? Many people practice horrible password hygiene by reusing their password across multiple sites. Accordingly, if their username and password get stolen, an attacker can reuse those credentials to gain direct access to the person's account on another site.

Given the logistical challenge of maintaining different yet complex passwords for a range of different sites, security experts recommend that people employ a password manager. Not only can such tools keep passwords synchronized across multiple devices, but they can also generate strong, long, random and thus relatively complex and tough-to-crack passwords.

Still, user-selected complexity only goes so far. In the case of the Adobe breach, notably, the company let its users down by storing their passwords in a relatively insecure manner, according to an analysis of the stolen passwords published by security researcher Jeremi Gosney. He was able to quickly crack the "encrypted" passwords "thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB [electronic code book cipher] mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint."

Of the 130 million stolen passwords, 1.9 million were "123456." All told, 2.75% of Adobe's users had chosen one of the same five passwords, which also included "123456789," "password," "adobe123," and "12345678."

Ideally, security researchers -- and attackers -- wouldn't have been able to take encrypted passwords and reverse-engineer them into real passwords. On that front, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, has taken Adobe to task for "the scale of the blunder" behind the company's own poor password security practices. Just like LinkedIn, which last year lost 6.5 million users' passwords, Adobe failed to salt its passwords, and made some other dubious choices that have allowed almost every password to be recovered.

"Bear in mind that salted hashes -- the recommended programmatic approach here -- wouldn't have yielded up any such information, and you appreciate the magnitude of Adobe's blunder," he said.

"There's more to concern yourself with," added Ducklin. "Adobe also described the customer credit card data and other PII -- personally identifiable information -- that was stolen in the same attack as 'encrypted.'"

On the upside, however, some proactive companies are now mining stolen information to help their users. Facebook, for example, regularly obtains information on repeat-password offenders by watching the work of third-party researchers. "We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time," said Facebook security team member Chris Long via Krebs' site.

"We're proactive about finding sources of compromised passwords on the Internet," he said. "Through practice, we've become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts."

Metrics, data classification, governance, compliance -- and your vendors -- are all part of the risk management equation. The The Risky Business Of Managing Risk report offers insight on the many pieces of the risk management puzzle, and how to make it work for your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/20/2013 | 8:33:53 PM
Re: Password managers
I don't think we should be writing off biometrics so quickly. I don't think password managers are a better solution. They are a good solution atm because we use passwords. Biometrics need to get better and they won't be in use tomorrow but give them time. Biometrics is the answer to passwords in my opinion.
SpawnAllan
100%
0%
SpawnAllan,
User Rank: Apprentice
11/20/2013 | 5:38:33 PM
Re: password etiquette
This is exactly what sold me on using a password management software, because of the unique password reuirements on various websites. I (like some of the other commenters I've seeen here) use RoboForm to store different password for each website I visit. RoboForm can also integrate with biometric devices like the one mentioned here.
aditshar
50%
50%
aditshar,
User Rank: Apprentice
11/20/2013 | 4:58:04 AM
Re: passwords are getting old
Considering and bringing new password system to FB which hold high number of users, i dont think it will be easy task and Biometrics for sure wont work here and if they bring some OTP kind of service then for sure Sign up will not be free of charge as it is now, there has to be something which do not fetch much from FB bank account and other than this i bet 40% of FB users dont even know about security threat due to password stolen or hacked.
TylerS824
100%
0%
TylerS824,
User Rank: Apprentice
11/19/2013 | 3:01:30 PM
Re: Password managers
Looked into RoboForm yesterday after reading the article and your comments.
Looks really simple and like it so far, only thing I don't like is that they don't let you save receipts of online transactions into a file. 
JDC3
100%
0%
JDC3,
User Rank: Apprentice
11/18/2013 | 4:56:37 PM
Re: Password managers
@Megan - I agree.  It looks like a password manager is a better/simplier solution than biometrics.  I've been using RoboForm for a few years now as well - nothing but good things to say about it.
MeganCisco
100%
0%
MeganCisco,
User Rank: Apprentice
11/18/2013 | 2:33:37 PM
Password managers
More and more sites are getting hacked. It's hard to prevent it but the best advice is to get a password manager to create unique passwords for each website that you use so if one website is hacked they won't be able to use that password on other sites that you login to. I have been using Roboform to do this for me for years and cannot live without it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2013 | 8:33:58 AM
Re: passwords are getting old
Count me in  on the "passwords are getting old" camp for all the reasons mentioned by others in this thread. As for biometrics, I think we're going to see a lot more -- and better biometrics -- in use in short order as the technology matures and gets cheaper. Apples iPhone5s kerfuffle notwithstandig, its incorporation into a mainstream product speaks volumes. On a personal level, I will happily throw away all the passwords I've jotted on sticky notes, (at least those that I can find) and trade in a little privacy for the convenience of a fingerprint reader. 
aditshar
50%
50%
aditshar,
User Rank: Apprentice
11/18/2013 | 6:25:41 AM
Re: passwords are getting old
I agree with Thomas here, biometrics may not help much here and keeping cost factor in mind it may absorb hell lot of money, other than this one good security practise i see these days is OTP, most of the banks and financial firms use this method as authentication process for end user which seems little hard to break if your mobile number is updated with bank.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
11/17/2013 | 10:34:32 PM
Re: passwords are getting old
I'm not convinced biometrics help that much. What's gained in convenience is lost in privacy. It's not that hard to come up with a strong password that can be remembered. I think it's worth the effort.
Gary_EL
50%
50%
Gary_EL,
User Rank: Apprentice
11/17/2013 | 10:08:40 PM
Re: Passwords
I agree, Brian. If someone hacks my facebook account, I will owe explanations to my friends. If someone hacks my bank account, I'll owe explanations to the bank, my creditors, and perhaps even the IRS. It's easy to see what the first priority is.
Page 1 / 2   >   >>
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...