Facebook’s chief security officer Alex Stamos has disclosed at the Web Summit in Lisbon that Facebook uses the stolen passwords, purchased from hackers selling them on dark web marketplaces, to cross-reference them with encrypted passwords already in use on the site. He added that despite the process being “computationally heavy”, Facebook has been able to alert millions of users about resetting their vulnerable passwords to a stronger alternative, effectively ensuring users’ account and data safety. IT security experts from Prevoty, VASCO Data Security, Synopsys, Redscan, AlienVault and Lieberman Software commented below.
Kunal Anand, Co-Founder and CTO at Prevoty:
“This is a smart move and a continuation of Facebook trying to protect its users on and off the social network. Most people re-use passwords across multiple accounts and with Facebook buying stolen passwords, the social network can help reduce risk for individuals. It helps buy user trust (people will associate Facebook with being the “good person”) and helps reduce customer service/security associated costs down the road.”
John Gunn, Vice President at VASCO Data Security:
“This episode further underscores the undeniable weaknesses of 30-year password technology and the urgent need to move to multi-factor authentication which provides far great security and ease of use for consumers.
Some may argue that paying to purchase stolen passwords will only encourage more hacking attacks just as paying ransom provides incentives for additional ransomware attacks. The truth is that the attacks are going to happen regardless and the incentive for hackers already exists. Any action that enhances protection hurts criminal hackers and makes their attacks less effective.”
Mike Ahmadi, CISSP, Global Director – Critical Systems Security at Synopsys:
“This leads me to a philosophical thought process. It is similar to buying black market weapons to defend a noble cause, but the weapons can also be used in non-noble ways. It then comes down to your faith in those that acquire the “weapons”. Consequently, if the intent is noble, then does this create a potential environment that justifies password theft? If the thieves only sell to organizations that have noble intent, do they become some sort of modern day Robin Hood? This then begs the question, what if the sensitive information is not stolen, but acquired through legitimate research, such as what we engage in? Does selling that information to a third party with the intention to improve security constitute a breach of ethics?”
Robert Page, Lead Penetration Tester at Redscan:
“The practice of purchasing stolen passwords raises some important ethical questions. By going to extended lengths to protect its own users, Facebook inadvertently puts the wider online community at risk by subsiding hackers to commit further crimes. Educating users about the importance of good cyber hygiene would likely be a better way of addressing the problem of common password use.”
Javvad Malik, Security Advocate at AlienVault:
“We’ve seen some traction in this space, most notably with Microsoft dynamically banning passwords of users that have been compromised in other breaches. The approach makes sense. We know users tend to reuse passwords, so if another account belonging to a user has been compromised, it would be best to prevent that password being used for that user elsewhere. As such, the approach is good. However, the controversial aspect is whether Facebook should have paid for the dump. The ethical dilemma is that by paying for password dumps, companies are funding, and further encouraging criminals to hack other sites for their passwords.
A user may have a very strong password that meets or even exceeds the requirements at sign up. But if it is reused and hacked from elsewhere, that’s where the weakness is introduced and hence why dynamically banning passwords is needed. Currently, there is no way to determine at signup whether the password has been reused elsewhere.
Password reuse is one of the biggest issues, and it’s a tough one to overcome. The use of password managers can greatly help. Also, users should take advantage of two-step authentication where it’s available.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Facebook is buying passwords on the dark Web to prove what everyone suspects – that users are using their passwords on more than one site. With a list of passwords stolen from the rest of the web, Facebook can check their own users’ passwords to see if anyone is using a password stolen from some other Internet site as their Facebook password as well. As Facebook looks to diversify their business and include more e-commerce and other features that ask users to rely on them for security, they will need ways to convince users that they shouldn’t just think of their Facebook password as protecting their pictures and snarky comments. Everyone knows most people take a lazy approach to most passwords and perhaps Facebook feels their new tactic let’s them do the harder work to help get their users to contribute to their own protection with better password choices.
Facebook measures success in large part by the number of users on the site. If they make it hard for people to get started by forcing complex passwords, they add a barrier to people joining and helping to push that key metric up. It’s a classic struggle between security and usability. Everyone knows you need good security, but how much burden do you put on the user to get it? This purchase of dark web lists of stolen passwords is likely the security folks who lost the fight to apply more controls at sign up trying to find creative ways to improve security once the user is already on and using the service.”