Facebook Stored Passwords in Plaintext and Sophos Commentary

Last week it was revealed that Facebook mistakenly stored millions of user passwords unencrypted and in plaintext. The passwords were held on Facebook’s internal servers and were not available to anyone outside the company, Facebook stated. They also added that there is no evidence that the passwords were compromised or accessed by employees for nefarious means.

The exact number of passwords held in this way isn’t clear, but some reports say the issue has affected 200-600 million users, which isn’t terribly accurate. We know it has affected Facebook Lite users, Instagram users and Facebook users.

Although little damage was done, the risk of misuse is huge in this situation. A company who has such a large amount of user data has a responsibility to protect that data. Facebook is also an attractive target for hackers since they have the potential to garner significant amounts of sensitive data to use in other attacks or for fraud. This is why there are a number of best practices for password storage and security so that even if data is stolen, it should be unreadable to the attacker.

Facebook has contacted all affected users and states there is no need for users to change their passwords. However, security experts disagree.

We talked to UK cybersecurity company, Sophos. You can see their responses to our questions below.

What password practices do you recommend to users to keep their online accounts safe?

1. Don’t choose words or dates that relate to you, and don’t think that “password99” is a way of making the password “password” safe.
2. Go as long and complex as you can.
3. NEVER use the same password on more than one account. (Even if you think some of your accounts are unimportant and don’t need decent passwords, those accounts still come back to haunt you and your reputation if they get hacked.)
4. To make 1, 2 and 3 as easy as possible, use a password manager.
5. Turn on two-factor authentication. (Not just for Facebook, for all accounts that support it. It’s a tiny hassle for you but a big hurdle for the crooks, so why not protect yourself?)

Watch a 2-minute video: https://nakedsecurity.sophos.com/how-to-pick-a-proper-password

Do you think Facebook should have enforced a password reset for all affected users?

Resetting everyone’s password would work in an ideal world, but users don’t like what they see as ‘an inconvenience’ unless it is inescapable. Given that the passwords that were inadvertently logged inside Facebook’s network and probably haven’t been misused, forcibly resetting passwords could cause more harm than good. When users pick new passwords under pressure, that’s when they forget the new one almost immediately and end up cutting corners, such as immediately doing another password reset and choosing a trivial password to “solve” the problem. Nevertheless, I recommend that you reset your password anyway, whether Facebook identifies you as affected or not. Do it on your own time – and if you aren’t using a password manager yet, make this an excuse to try one out.

Facebook stated that they knew about the issue in January of this year. Do you believe they should have come forward sooner?

As far as I can see, a security audit revealed that some sort of logging problem existed, and that considerable digging would be needed to find out  the nature and extent of the issue. (If you can’t measure it, you can’t reliably fix it.) Facebook has now done a lot of that digging, and given that there was no clear and present danger, I think that the delay was acceptable. Facebook hasn’t tried to sweep this under the carpet, so let’s give the company credit for that. In fact, use this as a thought experiment: “If something like this showed up in my company, who would I get to track it down, how long would that take, and what would I do to convince people I’d found and fixed all instances of the problem in the end?”

Facebook has been criticised for its poor handling of user data in recent years. Do you think this latest incident will damage their reputation further?

It’s a very bad look for Facebook, but it’s not as though the company was using plaintext passwords to run its authentication servers and crooks got in and stole the password database. So you aren’t likely to end up in password breach or to appear on the website ‘Have I Been Pwned’ because of this. I think that if you were thinking of closing your Facebook account, you’d already have done so on the basis of the controversies that have already emerged about Facebook in recent years. But this isn’t a story about how Facebook has deliberately been collecting information about you and your friends and making money out of it.

So my own opinion is that this story, taken on its own, is not the sort of thing to close your account over – and if it helps you decide, I’m not closing mine. This is also a reminder that even the programmers at companies like Facebook (and Google – remember Wi-Spy?) don’t always get security right, even when they’re trying to do so. So if you haven’t yet persuaded your own programmers to take security seriously, use this as an example of how simple and unintentional blunders can cause a lot of corporate PR pain!