TechWeb

Facebook Forces Some Users To Reset Passwords

Nov 13, 2013 (06:11 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=240163875


10 Facebook Features To Help You Get Ahead
10 Facebook Features To Help You Get Ahead
(click image for larger view)
Score one for the password police: multiple sites, including Facebook, have been forcing users to reset their passwords if they've reused their Facebook password for a site that suffered a data breach.

"Recently, there was a security incident on another website unrelated to Facebook," reads a warning message some users have recently been seeing when they try to access the social network. "Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.

"To secure your account, you'll need to answer a few questions and change your password. For your protection, no one can see you on Facebook until you finish," the warning adds.

[ Who is your biggest security threat? Read Think Hackers Are IT's Biggest Threat? Guess Again. ]

In recent days, sites such as Diapers.com and Soap.com have likewise warned some users that their passwords were reused on a site that recently suffered a breach, and must be reset.

"We actively look for situations where the accounts of people who use Facebook could be at risk -- even if the threat is external to our service," Facebook spokesman Jay Nancarrow told security reporter Brian Krebs. "When we find these situations, we present messages like the [above] to help affected people secure their accounts."

Reached via email, Nancarrow declined to detail the number of users that have seen Facebook's warning message.

The likely data breach victim behind all three sites' recent warning messages is Adobe, which last month warned that 3 million usernames and encrypted passwords had been stolen, and forced all users to reset their passwords. Subsequently, however, the company expanded its estimate of affected Adobe customers to 38 million.

What's the risk? Many people practice horrible password hygiene by reusing their password across multiple sites. Accordingly, if their username and password get stolen, an attacker can reuse those credentials to gain direct access to the person's account on another site.

Given the logistical challenge of maintaining different yet complex passwords for a range of different sites, security experts recommend that people employ a password manager. Not only can such tools keep passwords synchronized across multiple devices, but they can also generate strong, long, random and thus relatively complex and tough-to-crack passwords.

Still, user-selected complexity only goes so far. In the case of the Adobe breach, notably, the company let its users down by storing their passwords in a relatively insecure manner, according to an analysis of the stolen passwords published by security researcher Jeremi Gosney. He was able to quickly crack the "encrypted" passwords "thanks to Adobe choosing symmetric key encryption over hashing, selecting ECB [electronic code book cipher] mode, and using the same key for every password, combined with a large number of known plaintexts and the generosity of users who flat-out gave us their password in their password hint."

Of the 130 million stolen passwords, 1.9 million were "123456." All told, 2.75% of Adobe's users had chosen one of the same five passwords, which also included "123456789," "password," "adobe123," and "12345678."

Ideally, security researchers -- and attackers -- wouldn't have been able to take encrypted passwords and reverse-engineer them into real passwords. On that front, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, has taken Adobe to task for "the scale of the blunder" behind the company's own poor password security practices. Just like LinkedIn, which last year lost 6.5 million users' passwords, Adobe failed to salt its passwords, and made some other dubious choices that have allowed almost every password to be recovered.

"Bear in mind that salted hashes -- the recommended programmatic approach here -- wouldn't have yielded up any such information, and you appreciate the magnitude of Adobe's blunder," he said.

"There's more to concern yourself with," added Ducklin. "Adobe also described the customer credit card data and other PII -- personally identifiable information -- that was stolen in the same attack as 'encrypted.'"

On the upside, however, some proactive companies are now mining stolen information to help their users. Facebook, for example, regularly obtains information on repeat-password offenders by watching the work of third-party researchers. "We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time," said Facebook security team member Chris Long via Krebs' site.

"We're proactive about finding sources of compromised passwords on the Internet," he said. "Through practice, we've become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts."