Skip to content

Trending tags

Change your Facebook password. And don’t try to remember it.

Sandra Proske

21.03.19 2 min. read

Facebook has confirmed a blockbuster report from Brian Krebs that it stored hundreds of millions of passwords in plain text.

In a post titled “Keeping Passwords Secure,” Pedro Canahuati, VP Engineering, Security and Privacy, asserted “no passwords were exposed externally and we didn’t find any evidence of abuse to date.”

Krebs reports, “The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.” This was the result of web requests being logged in plain text.

The company is not forcing Facebook or Instagram users to change their passwords. But you should still change yours. Then do something even more important.

Change your passwords and forget them

To change your Facebook password via the web or an app, go to “Settings > Security and Login > Change Password.” In Instagram, go to “Settings > Privacy and Security > Password.”

But an even better idea is to change your passwords now and forget them. In fact, if you don’t forget them, that’s a terrible sign for your security.

“If you can remember your passwords, they’re weak,” says Janne Kauhanen, cyber security expert and host of our Cyber Security Sauna podcast.

Yes, you should have a randomly generated 32 character password for each service and application. And this is only possible if you use a password manager or locker to assist you.

Password managers make life and securing accounts easy. Everyone can do it. And you can use our F-Secure KEY for free on one device or as part of F-Secure TOTAL.

If you want to remember something, remember this

You probably use 2-factor authentication wherever you can, as you should. Facebook recommends this in its post as well.

However, not all 2-factor authentication is same.

“You should always use two-factor authentication, but I have seen cases where it’s been bypassed,” Janne says. “Text message codes entered on the same login page with your credentials can be captured by faking that website. A fake error message will let you know the service is temporarily unavailable, while the attackers continue with your real session.”

Sneaky, right?

How can you avoid this? Avoid using text or SMS messages as your second factor for authentication. You can use an app such as Google’s Authenticator instead. These are much more difficult to compromise.

Remember this — forget your passwords

Taking passwords seriously doesn’t involve cluttering your brain with random arrays of letters, numbers, and special characters. Your RAM will be more wisely used on making sure you and everyone you love to do what the cyber security pros do – learn to love a password manager.

Sandra Proske

21.03.19 2 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.