Skip to comments.Facebook says it stored millions of passwords in plain text
Posted on 03/21/2019 12:17:25 PM PDT by bgill
Facebook said Thursday that it stored millions of its users' passwords in plain text for years. The acknowledgement from the social media giant came after a security researcher posted about the issue online. "Security rule 101 dictates that under no circumstances passwords should be stored in plain text, and at all times must be encrypted," said cybersecurity expert Andrei Barysevich of Recorded Future. "There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users' passwords in plain text." Facebook said there is no evidence its employees abused access to this data. But thousands of employees could have searched them. The company said the passwords were stored on internal company servers, where no outsiders could access them. But the incident reveals a huge oversight for the company amid a slew of bruises and stumbles in the last couple of years. The security blog KrebsOnSecurity said some 600 million Facebook users may have had their passwords stored in plain text.
(Excerpt) Read more at kvue.com ...
Dammit. Oh, wait. I don’t do that. Yawn............
This is quite surprising. Nearly any commercial LDAP or other security access system stores only the hash of the password. Did Facebook use home-made security? For their size, you would certainly think they’d just buy a suitable commercial product.
When I worked, I was involved with the single sign-on system in a large bank, where we had 250,000 employees with logins. We used the Novell eDirectory LDAP to store the credentials.
.....another example of Zuckerberg screwing over the American people.
CEO is a lamebrain
CEO is a lamebrain
CEO is pawn of 3 letter fed dept
I hope my fake identity hasnt been compromised
Look out your window.
I hear the black helicopters now. Im heading to the bunker.
Vicious inmates are running that assylum, waiting for a chance to screw over anyone who disagrees with their politics.
You’re comparing apples and oranges. Yes, Facebook had/has custom in-house security, not some commercially available LDAP product. FR is the same way and so is any other website you interact with on a daily basis.
I think you just cracked the CEO’s password—don’t tell anyone—C..I...A....or it could be N...S...A if the first one does not work. ;-)
I was watching a CSPAN hearing while Marriott and Equifax CEO’s tap-danced around the cyber-security issue. They ignored the potential insider threat—and the Congress-critters questioning them were clueless as well.
You are correct—most data breaches are not hacks at all.
They are inside jobs.
The first suspects should always be employees with access to the hardware and software.
Everybody has stored user data in plain text at some point. Encryption is a pain. Especially when the encryption level you’re using goes out of vogue, so you have to go bigger but in the case of upgrades you still have to read the old stuff and slowly replace it. Ugh. We all know it’s wrong, but it’s fast and easy.
They aren’t on LDAP. It’s just a SQL database.
There is no valid reason why anyone in an organization, especially the size of Facebook, needs to have access to users' passwords in plain text."
Worth repeating. This is sheer lunacy. You always store encrypted and validate against a hash.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.