Facebook is buying stolen passwords from dark web
The company says it wants to protect users, but researchers query its effectiveness
Facebook is buying user passwords from the dark web to protect them from cyber criminals, it has been revealed.
The company has been purchasing the stolen credentials and then matching them up with users on their own system, advising those who are using a compromised password to login that, for their own safety, they should not use duplicate passwords.
"The reuse of passwords is the [number one] cause of harm on the internet," Facebook's chief security officer, Alex Stamos, told attendees at Web Summit in Lisbon. "It turns out that we can build perfectly secure software and yet people can still get hurt."
He said it was staggering to see how many people use the same password for multiple services, despite being aware that if their password is stolen from one place it can be used to login to numerous services. Although it may not be life damaging for someone to log in to a Facebook account using stolen password, it could be more serious if that password is used for online banking or other confidential services.
Javvad Malik, security advocate at AlienVault, said Facebook's strategy could be a risky one and could actually encourag hackers to conduct illegal activity, instead of stopping them.
"The controversial aspect is whether Facebook should have paid for the dump," he said. "The ethical dilemma is that by paying for password dumps, companies are funding and further encouraging criminals to hack other sites for their passwords."
There is another approach, dynamic password banning, which is used by Microsoft. This approach both stops people from using easy to guess and commonly used passwords and protects against password re-use, as those found in leaks such as the LinkedIn breach are then added to the list of banned passwords.
This strategy is notably different to Facebook's, however, in that it uses data freely available on the dark web, rather than buying password dumps, which Malik believes is the better option. "Dynamically banning passwords is needed," he said. "Currently, there is no way to determine at signup whether the password has been reused elsewhere," which means banning passwords at sign up if they exist on these leaked lists, even if they exceed the length and strength requirements of the provider, is more effective.
Jonathan Sander, VP of product strategy at Lieberman Software, meanwhile thinks Facebook's decision to buy-up data dumps could be detrimental to its growth.
"Facebook measures success in large part by the number of users on the site. If they make it hard for people to get started by forcing complex passwords, they add a barrier to people joining and helping to push that key metric up," he said.
"It's a classic struggle between security and usability. Everyone knows you need good security, but how much burden do you put on the user to get it?"