Facebook is buying stolen passwords from dark web

The company says it wants to protect users, but researchers query its effectiveness

Facebook is buying user passwords from the dark web to protect them from cyber criminals, it has been revealed.

The company has been purchasing the stolen credentials and then matching them up with users on their own system, advising those who are using a compromised password to login that, for their own safety, they should not use duplicate passwords.

Advertisement - Article continues below

"The reuse of passwords is the [number one] cause of harm on the internet," Facebook's chief security officer, Alex Stamos, told attendees at Web Summit in Lisbon. "It turns out that we can build perfectly secure software and yet people can still get hurt."

He said it was staggering to see how many people use the same password for multiple services, despite being aware that if their password is stolen from one place it can be used to login to numerous services. Although it may not be life damaging for someone to log in to a Facebook account using stolen password, it could be more serious if that password is used for online banking or other confidential services.

Javvad Malik, security advocate at AlienVault, said Facebook's strategy could be a risky one and could actually encourag hackers to conduct illegal activity, instead of stopping them.

Advertisement
Advertisement - Article continues below

"The controversial aspect is whether Facebook should have paid for the dump," he said. "The ethical dilemma is that by paying for password dumps, companies are funding and further encouraging criminals to hack other sites for their passwords."

Advertisement - Article continues below

There is another approach, dynamic password banning, which is used by Microsoft. This approach both stops people from using easy to guess and commonly used passwords and protects against password re-use, as those found in leaks such as the LinkedIn breach are then added to the list of banned passwords.

This strategy is notably different to Facebook's, however, in that it uses data freely available on the dark web, rather than buying password dumps, which Malik believes is the better option. "Dynamically banning passwords is needed," he said. "Currently, there is no way to determine at signup whether the password has been reused elsewhere," which means banning passwords at sign up if they exist on these leaked lists, even if they exceed the length and strength requirements of the provider, is more effective.

Jonathan Sander, VP of product strategy at Lieberman Software, meanwhile thinks Facebook's decision to buy-up data dumps could be detrimental to its growth.

Advertisement - Article continues below

"Facebook measures success in large part by the number of users on the site. If they make it hard for people to get started by forcing complex passwords, they add a barrier to people joining and helping to push that key metric up," he said.

"It's a classic struggle between security and usability. Everyone knows you need good security, but how much burden do you put on the user to get it?"

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020
Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular

Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

5 May 2020
Visit/mobile/5g/355712/nokia-5g-speed-record
5G

Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
Visit/cloud/cloud-computing/355742/microsoft-launches-public-cloud-service-for-health-care
cloud computing

Microsoft launches public cloud service for health care

21 May 2020