Online Security: How Facebook Detects If Your Passwords Were Stolen

Facebook has devised a means to warn users if their password gets stolen by hackers.

In recent years, many of the largest companies in the world have been faced with security breaches.

This has even grown worse especially because people often use the same e-mail address and password combinations on multiple websites. Over time, hackers have been able to successfully use some of these stolen credentials to log into multiple websites associated with their victims, including Facebook, Google, Dropbox, Instagram, Snapchat and Twitter.

However, the good news is that Facebook has a way of warning users if their passwords were stolen.

Chris Long, Facebook security engineer, said the social network specifically looks at websites where hackers leak e-mail addresses and passwords. He added that Facebook built a tool that actively looks for public postings on websites like Pastebin.com containing login credentials and notifies account owners if their information has been compromised.

In the notification, Facebook guides those users with a tutorial on how to change their password. "This is a completely automated process that doesn't require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time," Long said in a recent blog post entitled Keeping Passwords Secure.

Once the data is downloaded and parsed, the automated system checks each of them against Facebook's internal databases to see if any of the leaked e-mails and passwords matches valid login information on Facebook. Facebook stores passwords as hashes in its own database so it has to hash the leaked credentials first and compare them. Facebook uses hashing as a way to verify whether the input matches the stored hash value without actually deciphering the text, including passwords, credit card details, etc.

Facebook suggested a couple of ways to take extra precaution in protecting your login credentials. The first suggestion is to set up two-factor authentication, which requires you to enter a security code from your phone when you log in from a new browser. And the second suggestion is to use Facebook Login when you use third-party websites and apps so you do not have to remember separate usernames and passwords.

Facebook started tracking public postings of leaked login credentials ever since Adobe announced its servers were hacked in October 2013, exploiting millions of usernames and passwords. Facebook compared the login credentials between its own users and Adobe. For security purposes, Facebook hid the profiles of users with the same credentials as Adobe.

Source: Forbes