Facebook is buying stolen passwords from dark web

The company says it wants to protect users, but researchers query its effectiveness

Facebook is buying user passwords from the dark web to protect them from cyber criminals, it has been revealed.

The company has been purchasing the stolen credentials and then matching them up with users on their own system, advising those who are using a compromised password to login that, for their own safety, they should not use duplicate passwords.

"The reuse of passwords is the [number one] cause of harm on the internet," Facebook's chief security officer, Alex Stamos, told attendees at Web Summit in Lisbon. "It turns out that we can build perfectly secure software and yet people can still get hurt."

He said it was staggering to see how many people use the same password for multiple services, despite being aware that if their password is stolen from one place it can be used to login to numerous services. Although it may not be life damaging for someone to log in to a Facebook account using stolen password, it could be more serious if that password is used for online banking or other confidential services.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Javvad Malik, security advocate at AlienVault, said Facebook's strategy could be a risky one and could actually encourag hackers to conduct illegal activity, instead of stopping them.

"The controversial aspect is whether Facebook should have paid for the dump," he said. "The ethical dilemma is that by paying for password dumps, companies are funding and further encouraging criminals to hack other sites for their passwords."

There is another approach, dynamic password banning, which is used by Microsoft. This approach both stops people from using easy to guess and commonly used passwords and protects against password re-use, as those found in leaks such as the LinkedIn breach are then added to the list of banned passwords.

This strategy is notably different to Facebook's, however, in that it uses data freely available on the dark web, rather than buying password dumps, which Malik believes is the better option. "Dynamically banning passwords is needed," he said. "Currently, there is no way to determine at signup whether the password has been reused elsewhere," which means banning passwords at sign up if they exist on these leaked lists, even if they exceed the length and strength requirements of the provider, is more effective.

Jonathan Sander, VP of product strategy at Lieberman Software, meanwhile thinks Facebook's decision to buy-up data dumps could be detrimental to its growth.

"Facebook measures success in large part by the number of users on the site. If they make it hard for people to get started by forcing complex passwords, they add a barrier to people joining and helping to push that key metric up," he said.

Advertisement - Article continues below

"It's a classic struggle between security and usability. Everyone knows you need good security, but how much burden do you put on the user to get it?"

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020