X

Facebook buys black market passwords to keep your account safe

The company's security chief says account safety is about more than just building secure software.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
See full bio
Katie Collins
3 min read
Facebook's Alex Stamos: "Safety is a different word to security."
Enlarge Image
Facebook's Alex Stamos: "Safety is a different word to security."

"The reuse of passwords is the No. 1 cause of harm on the internet," says Facebook's Alex Stamos.

 Brendan Moran/Getty Images

For a data-saturated company of its size and scope, Facebook has markedly managed to avoid the kind of security scandals, breaches and hacks that have affected many other major web companies.

Take a closer look, and you'll see why. Though on the surface all seems calm, below the waves the social network is kicking its legs frantically and working around the clock to keep users' accounts safe.

Keeping Facebook safe and keeping it secure are two different things, the social network's chief security officer, Alex Stamos, said Wednesday at Web Summit in Lisbon. Security is about building walls to keep out threats and shore up defenses, but according to Stamos, safety is bigger than that.

"It turns out that we can build perfectly secure software and yet people can still get hurt," he said.

Stamos came to Facebook in summer 2015 from Yahoo and now leads a team at the social network that tries to get ahead of hackers and other threats and head off trouble before it strikes. The biggest headache he deals with is caused by the humble password.

"The reuse of passwords is the No. 1 cause of harm on the internet," said the security chief.

When passwords are stolen en masse and traded on the black market, it becomes apparent just how many of them are the same -- "123456" and its consecutive numerical brethren are the main culprits. If you're using one of these passwords, that automatically makes your account more vulnerable to being compromised. This is something Facebook is keen to help you avoid.

To check that Facebook members are not choosing these commonly used passwords for their accounts, Stamos revealed, the social network buys passwords hackers are selling on the black market and cross-references them with encrypted passwords used on the site. He described the task as "computationally heavy" but said that as a result of the exercise Facebook has been able to alert tens of millions of users that their passwords needed changing because they weren't strong enough.

Facebook provides a whole bunch of tools for users to make the security on an account nice and tight, ranging from traditional two-factor authentication to identifying faces of friends. But for Stamos, this is only part of the solution when it comes to keeping people safe.

"Even though we provide these options, it is our responsibility to think about those people that choose not to use them," he said.

One way the company does this is to apply machine learning algorithms to Facebook's social graph to establish whether activity on your account is fraudulent. Another concept currently in the works tackles the problem of account recovery. If hackers find their way into your email, it's easy for them to seize your Facebook account too, by choosing the password reset option. Instead, Facebook wants people to allow their close friends to verify an account-recovery request on their behalf.

"Usernames and passwords are an idea that came out of 1970s mainframe architectures," said Stamos. "They were not built for 2016."