Facebook Buys Black Market Passwords To Keep Your Account Safe

[HardOCP News]

I would like this idea a whole lot better if there was just some way to not give money to crooks. Good idea, and it still means you are one step behind the hackers, but at least it's something.

To check that Facebook members are not choosing these commonly used passwords for their accounts, Stamos revealed, the social network buys passwords hackers are selling on the black market and cross-references them with encrypted passwords used on the site. He described the task as "computationally heavy" but said that as a result of the exercise Facebook has been able to alert tens of millions of users that their passwords needed changing because they weren't strong enough.

 

[Hallucinator]

Are those passwords NOT copied or backed up by hackers before selling to facebook?

Duh.

 

[JosiahBradley]

I really hope they meant "hashed" passwords and not encrypted. Hashed passwords actually prevent leaks of passwords in the first place (if via database attack) where encrypted passwords normally require the key to be close enough by to be stolen with the passwords. Unless you encrypt the password with the password itself which would work but be less efficient.

 

[ChoGGi]

Are those passwords NOT copied or backed up by hackers before selling to facebook?

Duh.

They aren't trying to remove the passwords from circulation, they're checking if user accounts are compromised / alerting users

 

[Exavior]

You three seem to be missing the point here. They are buying list of stolen passwords that are not from there site but from any site. So say somebody is selling a list of usernames and passwords from bank X. They buy the list and toss the usernames. They then take the passwords and find the commonly used passwords from the list. Create a hash of them and compare that against their own database to find the people that are using these passwords. So let say they buy 1 million passwords from a mix of 10 sites. They find that Password, Pass1234, p@ssw0rd and November all show up 10000 times each. They would then convert these into values that they can compare against their own customers and then notify the people using these 4 passwords that they are using insecure passwords that are commonly used and thus now would be easy to brute force. They also can use this list now so that anyone creating a new account would be told that these 4 passwords are not secure as they are based on commonly used passwords. They are making their user passwords better by trying to prevent people from using passwords that are going to be showing up all the time in a stolen password list. This has nothing to do with protecting their database or them trying to buy the list so that nobody else has it. They are trying to get easy access to a list of everyone's passwords to know what are the commonly used one. How else do you find out 1 billion passwords used outside of buying the list that have been stolen?

 

[Bounty]

Seems weird, I guess if a Facebook user is using a "good" non dictionary password, lets say A1_st38ksau5k and Facebook found that password in a list of compromised passwords from another site. Still seems worse ethically to provide strong motivation to hack passwords ($$$) to begin with though. The easiest, 'safe' way to monetize a database of passwords is to sell the database.

 

[Exavior]

Seems weird, I guess if a Facebook user is using a "good" non dictionary password, lets say A1_st38ksau5k and Facebook found that password in a list of compromised passwords from another site. Still seems worse ethically to provide strong motivation to hack passwords ($$$) to begin with though. The easiest, 'safe' way to monetize a database of passwords is to sell the database.

definitely is an odd way to handle it. I remember a few years back a site doing something where it would check the number of people using a password and it would tell you when signing up that you couldn't use a password as too many people were using it. It would then blacklist that as a possible password while also telling everyone using that already to change their password. To me that always seemed like a smart idea if it could be done correctly. I guess this is going one step further and not only black listing dictionary words and common passwords on your site, but also common passwords on all sides. But as you said that is helping the bad people make money which isn't a good thing.