Calgarypuck Forums - The Unofficial Calgary Flames Fan Community

Go Back   Calgarypuck Forums - The Unofficial Calgary Flames Fan Community > Main Forums > The Off Topic Forum
Reload this Page Facebook stored usernames/passwords in plain text
Register Forum Rules FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Search this Thread
Old 03-21-2019, 11:04 AM   #1
Hemi-Cuda
wins 10 internets
 
Hemi-Cuda's Avatar
 
Join Date: Feb 2006
Location: slightly to the left
Exp:
Default Facebook stored usernames/passwords in plain text
Might want to update your FB password, and any site that would have used the same one


https://krebsonsecurity.com/2019/03/...ext-for-years/
Hemi-Cuda is offline   Reply With Quote
Old 03-21-2019, 11:12 AM   #2
Fuzz
Franchise Player
 
Fuzz's Avatar
 
Join Date: Mar 2015
Exp:
Default
I have no idea how such a huge organization can be that obviously negligent. Like not just a little bit, that's colossal. Do they not have someone in charge of security? Maybe if governments started bringing criminal charges for this kind of negligence it would stop happening.
Fuzz is offline   Reply With Quote
The Following 2 Users Say Thank You to Fuzz For This Useful Post:
Old 03-21-2019, 11:22 AM   #3
photon
The new goggles also do nothing.
 
photon's Avatar
 
Join Date: Oct 2001
Location: Calgary
Exp:
Default
Quote:
Originally Posted by Fuzz View Post
I have no idea how such a huge organization can be that obviously negligent. Like not just a little bit, that's colossal. Do they not have someone in charge of security? Maybe if governments started bringing criminal charges for this kind of negligence it would stop happening.
Doesn't take much for this kind of thing to happen.. One developer logs certain information not realizing that the operations team has changed to aggregating all the logs for that and other servers into a service for that kind of thing and suddenly you're storing stuff in clear text you shouldn't be.

Shouldn't happen, but stuff like this is all to easy to occur in large systems with lots of developers and operations people all doing different things with different goals.
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
photon is offline   Reply With Quote
Old 03-21-2019, 11:30 AM   #4
Fuzz
Franchise Player
 
Fuzz's Avatar
 
Join Date: Mar 2015
Exp:
Default
Why are they storing passwords plain text though? They have no reason to not have them salted and encrypted in such a way that no one could read them even if they wanted to.
Fuzz is offline   Reply With Quote
Old 03-21-2019, 11:35 AM   #5
ZedMan
Scoring Winger
 
Join Date: Apr 2008
Exp:
Default
I'm sure they store passwords salted and hashed (never encrypt passwords).
From the article:

Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
(emphasis mine)
ZedMan is offline   Reply With Quote
The Following User Says Thank You to ZedMan For This Useful Post:
Old 03-21-2019, 04:49 PM   #6
photon
The new goggles also do nothing.
 
photon's Avatar
 
Join Date: Oct 2001
Location: Calgary
Exp:
Default
Yeah.. while they likely store password hashes, but you still have to first accept a password as part of the process, and they must have had logging where those passwords are logged to a log file after they're accepted as input by whatever system but prior to them being hashed and stored.
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
photon is offline   Reply With Quote
Old 03-21-2019, 11:21 PM   #7
Stealth22
Powerplay Quarterback
 
Join Date: Nov 2010
Exp:
Default
Quote:
Originally Posted by Fuzz View Post
I have no idea how such a huge organization can be that obviously negligent. Like not just a little bit, that's colossal. Do they not have someone in charge of security? Maybe if governments started bringing criminal charges for this kind of negligence it would stop happening.
Right? Even if you leave the negligence part aside, to me as a developer, logging/storing the plain text password is just...stupid. There's no other way to say it.

By the way, I'd recommend LastPass to anyone who doesn't already use it. Keeps track of all your passwords, and you can easily generate a different secure password for each site.
Stealth22 is offline   Reply With Quote
Old 03-21-2019, 11:24 PM   #8
Shazam
Franchise Player
 
Shazam's Avatar
 
Join Date: Aug 2005
Location: Memento Mori
Exp:
Default
Great, now they know the password for my luggage.
__________________
If you don't pass this sig to ten of your friends, you will become an Oilers fan.
Shazam is offline   Reply With Quote
The Following User Says Thank You to Shazam For This Useful Post:
Old 03-22-2019, 07:27 PM   #9
DownhillGoat
Franchise Player
 
DownhillGoat's Avatar
 
Join Date: Jan 2010
Exp:
Default
Quote:
Originally Posted by Fuzz View Post
I have no idea how such a huge organization can be that obviously negligent. Like not just a little bit, that's colossal. Do they not have someone in charge of security? Maybe if governments started bringing criminal charges for this kind of negligence it would stop happening.
Considering the government can and has been just as negligent - I'd rather see my FB password lifted than my unencrypted hard drive go missing with my SIN number on it.
DownhillGoat is offline   Reply With Quote
Old 03-23-2019, 05:24 AM   #10
Finger Cookin
Franchise Player
 
Finger Cookin's Avatar
 
Join Date: Jun 2014
Exp:
Default
I solved this problem by deleting Facebook years and years ago.
Finger Cookin is offline   Reply With Quote
The Following 2 Users Say Thank You to Finger Cookin For This Useful Post:
Old 03-23-2019, 08:25 AM   #11
Azure
Had an idea!
 
Azure's Avatar
 
Join Date: Oct 2005
Exp:
Default
Quote:
Originally Posted by photon View Post
Doesn't take much for this kind of thing to happen.. One developer logs certain information not realizing that the operations team has changed to aggregating all the logs for that and other servers into a service for that kind of thing and suddenly you're storing stuff in clear text you shouldn't be.

Shouldn't happen, but stuff like this is all to easy to occur in large systems with lots of developers and operations people all doing different things with different goals.
Considering how much profit Facebook generates each quarter they could easily allocate a LOT more money to security.

They don't care, and Zuckerburg thinks he is above the law.
Azure is offline   Reply With Quote
The Following 2 Users Say Thank You to Azure For This Useful Post:
Old 03-26-2019, 08:27 AM   #12
Hemi-Cuda
wins 10 internets
 
Hemi-Cuda's Avatar
 
Join Date: Feb 2006
Location: slightly to the left
Exp:
Default
Quote:
Originally Posted by Azure View Post
Considering how much profit Facebook generates each quarter they could easily allocate a LOT more money to security.

They don't care, and Zuckerburg thinks he is above the law.

Well he is, he's a billionaire with deep pockets to buy political favor. That's about as above the law as you can get
Hemi-Cuda is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -6. The time now is 02:08 AM.
Calgary Flames
2023-24



Contact Us - Calgarypuck Forums - Unofficial Calgary Flames Community - Archive - Privacy Statement - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright Calgarypuck 2021