When
a data controller embarks on a great initiative, they should be congratulated.
Even Facebook. So today I’m glad to acknowledge the sterling work that has been
going on behind the scenes to check whether passwords associated with Facebook
accounts have been misappropriated.
Facebook
monitor a selection of different 'paste' sites for
stolen credentials and watch for reports of large scale data breaches. They
collect the stolen credentials that have been publicly posted and check them to
see if the stolen email and password combination matches the same email and
password being used on Facebook. This is a completely automated process that
doesn't require them to know or store actual Facebook password in a plain text,
or unhashed form.
To check for matches, Facebook take the email address and
password and run them through the same code that is used to check user passwords
at login time. If they find a match, they'll notify the Facebook account holder
the next time they log in, and guide them through a process to change the
password.
Isn’t this a great idea?
And a sign of a responsible data controller acting in the best
interests of their customers?
So, Facebook, just in case no one else bothers to say it, please
accept my thanks, at least, for providing such a useful service.
Source:
https://www.facebook.com/notes/protect-the-graph/keeping-passwords-secure/1519937431579736
.
.
Posts
