Facebook is buying stolen passwords from dark web

The company says it wants to protect users, but researchers query its effectiveness

Facebook is buying user passwords from the dark web to protect them from cyber criminals, it has been revealed.

The company has been purchasing the stolen credentials and then matching them up with users on their own system, advising those who are using a compromised password to login that, for their own safety, they should not use duplicate passwords.

"The reuse of passwords is the [number one] cause of harm on the internet," Facebook's chief security officer, Alex Stamos, told attendees at Web Summit in Lisbon. "It turns out that we can build perfectly secure software and yet people can still get hurt."

He said it was staggering to see how many people use the same password for multiple services, despite being aware that if their password is stolen from one place it can be used to login to numerous services. Although it may not be life damaging for someone to log in to a Facebook account using stolen password, it could be more serious if that password is used for online banking or other confidential services.

Advertisement
Advertisement - Article continues below

Javvad Malik, security advocate at AlienVault, said Facebook's strategy could be a risky one and could actually encourag hackers to conduct illegal activity, instead of stopping them.

"The controversial aspect is whether Facebook should have paid for the dump," he said. "The ethical dilemma is that by paying for password dumps, companies are funding and further encouraging criminals to hack other sites for their passwords."

There is another approach, dynamic password banning, which is used by Microsoft. This approach both stops people from using easy to guess and commonly used passwords and protects against password re-use, as those found in leaks such as the LinkedIn breach are then added to the list of banned passwords.

This strategy is notably different to Facebook's, however, in that it uses data freely available on the dark web, rather than buying password dumps, which Malik believes is the better option. "Dynamically banning passwords is needed," he said. "Currently, there is no way to determine at signup whether the password has been reused elsewhere," which means banning passwords at sign up if they exist on these leaked lists, even if they exceed the length and strength requirements of the provider, is more effective.

Jonathan Sander, VP of product strategy at Lieberman Software, meanwhile thinks Facebook's decision to buy-up data dumps could be detrimental to its growth.

"Facebook measures success in large part by the number of users on the site. If they make it hard for people to get started by forcing complex passwords, they add a barrier to people joining and helping to push that key metric up," he said.

"It's a classic struggle between security and usability. Everyone knows you need good security, but how much burden do you put on the user to get it?"

Advertisement
Related Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Visit/strategy/28115/the-pros-and-cons-of-net-neutrality
Business strategy

The pros and cons of net neutrality

4 Nov 2019
Visit/domain-name-system-dns/34842/microsoft-embraces-dns-over-https-to-secure-the-web
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
Visit/social-media/34844/can-wikipedia-founders-social-network-really-challenge-facebook
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019