Facebook is buying stolen passwords from dark web

The company says it wants to protect users, but researchers query its effectiveness

Facebook is buying user passwords from the dark web to protect them from cyber criminals, it has been revealed.

The company has been purchasing the stolen credentials and then matching them up with users on their own system, advising those who are using a compromised password to login that, for their own safety, they should not use duplicate passwords.

Advertisement - Article continues below

"The reuse of passwords is the [number one] cause of harm on the internet," Facebook's chief security officer, Alex Stamos, told attendees at Web Summit in Lisbon. "It turns out that we can build perfectly secure software and yet people can still get hurt."

He said it was staggering to see how many people use the same password for multiple services, despite being aware that if their password is stolen from one place it can be used to login to numerous services. Although it may not be life damaging for someone to log in to a Facebook account using stolen password, it could be more serious if that password is used for online banking or other confidential services.

Javvad Malik, security advocate at AlienVault, said Facebook's strategy could be a risky one and could actually encourag hackers to conduct illegal activity, instead of stopping them.

Advertisement
Advertisement - Article continues below

"The controversial aspect is whether Facebook should have paid for the dump," he said. "The ethical dilemma is that by paying for password dumps, companies are funding and further encouraging criminals to hack other sites for their passwords."

Advertisement - Article continues below

There is another approach, dynamic password banning, which is used by Microsoft. This approach both stops people from using easy to guess and commonly used passwords and protects against password re-use, as those found in leaks such as the LinkedIn breach are then added to the list of banned passwords.

This strategy is notably different to Facebook's, however, in that it uses data freely available on the dark web, rather than buying password dumps, which Malik believes is the better option. "Dynamically banning passwords is needed," he said. "Currently, there is no way to determine at signup whether the password has been reused elsewhere," which means banning passwords at sign up if they exist on these leaked lists, even if they exceed the length and strength requirements of the provider, is more effective.

Jonathan Sander, VP of product strategy at Lieberman Software, meanwhile thinks Facebook's decision to buy-up data dumps could be detrimental to its growth.

Advertisement - Article continues below

"Facebook measures success in large part by the number of users on the site. If they make it hard for people to get started by forcing complex passwords, they add a barrier to people joining and helping to push that key metric up," he said.

"It's a classic struggle between security and usability. Everyone knows you need good security, but how much burden do you put on the user to get it?"

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020