
Keeping Passwords Secure - jmsflknr
https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/
======
krisrm
At what point do we start imposing strict fines on companies that are found to
have done this?

Granted, I guess we wouldn't be hearing about this instance at all if there
was to be some sort of fine attached - it would have just been swept under the
rug - so maybe that's not a good idea. I'm just tired of the "oops we stored
your passwords in plaintext lol" from companies with engineers that should
_clearly_ know better.

~~~
henvic
What if we stop thinking about fining or promoting sanctions against
everything and start helping people do the right thing?

* Promote Multi-Factor Authentication * Promote public/private key usage * Speak out against password reuse ...

~~~
krisrm
There's no reason why we can't do both at the same time. Companies, especially
tech behemoths like Facebook, should be held accountable for egregious
security oversights like this.

------
newscracker
> we found that some user passwords were being stored in a readable format
> within our internal data storage systems.

Truly astounding to see this from a big tech company in 2019!

> This caught our attention because our login systems are designed to mask
> passwords using techniques that make them unreadable. We have fixed these
> issues and as a precaution we will be notifying everyone whose passwords we
> have found were stored in this way.

Why not reset their passwords and force them to change it?

> To be clear, these passwords were never visible to anyone outside of
> Facebook and we have found no evidence to date that anyone internally abused
> or improperly accessed them.

That’s way too confident to state like that. Depending on how long this system
was in place, there may not even be logs to query and verify if any kind of
unauthorized access happened.

> We estimate that we will notify hundreds of millions of Facebook Lite users,
> tens of millions of other Facebook users, and tens of thousands of Instagram
> users. Facebook Lite is a version of Facebook predominantly used by people
> in regions with lower connectivity.

Hundreds of millions? More number of poorer people usually live in regions
with lower connectivity. Why is that, coincidentally, poorer people always
have to live with poorer security, poorer privacy protections, etc.? The
difference in these numbers seems appalling...as if someone in FB decided that
this segment doesn’t bring in enough ad money and so solutions for it could be
developed with lesser effort and no oversight or reviews.

There is no talk about security as a process in this post. Considering that
Facebook hasn’t had a CISO for quite sometime, this is a damning finding.

~~~
cridenour
> Depending on how long this system was in place, there may not even be logs
> to query and verify if any kind of unauthorized access happened.

An earlier article mentioned this has been happening since 2012 (from an
anonymous source at FB).

------
jdashg
The best time to get rid of passwords was years ago, but the second best time
is now.

The lack of at least opt-in public/private keys is disheartening.

------
Fnoord
The title 'Keeping Passwords Secure' only covers perhaps the second, not so
interesting part of this article. It does not cover the actual news item in
this article: Facebook stored passwords plaintext.

~~~
henvic
Back a decade ago, unfortunately, this was still commonplace.

We should be applauding them for their initiatives for protecting user
accounts, like MFA, notification alerts, etc. instead of condemning them for
making this awful mistake.

~~~
Fnoord
A little bit more than a decade AGO, but OK.

> We should be applauding [..] instead of condemning them

Why does it have to be either? We can condemn this mistake, while applauding
their security efforts.

These efforts were already known. They are not the news.

The fact they felt the need to be as defensive as they are (with non news) is
telling for me. Why apply damage control when there's no urge for it?

------
otterley
"... is not a thing that we did"

