Facebook has confirmed a blockbuster report from Brian Krebs that it stored hundreds of millions of passwords in plain text.
In a post titled “Keeping Passwords Secure,” Pedro Canahuati, VP Engineering, Security and Privacy, asserted “no passwords were exposed externally and we didn’t find any evidence of abuse to date.”
Krebs reports, “The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.” This was the result of web requests being logged in plain text.
The company is not forcing Facebook or Instagram users to change their passwords. But you should still change yours. Then do something even more important.
Change your passwords and forget them
To change your Facebook password via the web or an app, go to “Settings > Security and Login > Change Password.” In Instagram, go to “Settings > Privacy and Security > Password.”
But an even better idea is to change your passwords now and forget them. In fact, if you don’t forget them, that’s a terrible sign for your security.
“If you can remember your passwords, they’re weak,” says Janne Kauhanen, cyber security expert and host of our Cyber Security Sauna podcast.
Yes, you should have a randomly generated 32 character password for each service and application. And this is only possible if you use a password manager or locker to assist you.
Password managers make life and securing accounts easy. Everyone can do it. And you can use our F-Secure KEY for free on one device or as part of F-Secure TOTAL.
If you want to remember something, remember this
You probably use 2-factor authentication wherever you can, as you should. Facebook recommends this in its post as well.
However, not all 2-factor authentication is same.
“You should always use two-factor authentication, but I have seen cases where it’s been bypassed,” Janne says. “Text message codes entered on the same login page with your credentials can be captured by faking that website. A fake error message will let you know the service is temporarily unavailable, while the attackers continue with your real session.”
Sneaky, right?
How can you avoid this? Avoid using text or SMS messages as your second factor for authentication. You can use an app such as Google’s Authenticator instead. These are much more difficult to compromise.
Remember this — forget your passwords
Taking passwords seriously doesn’t involve cluttering your brain with random arrays of letters, numbers, and special characters. Your RAM will be more wisely used on making sure you and everyone you love to do what the cyber security pros do – learn to love a password manager.
Categories
