With close to 1.2 billion users, five new profiles created every second, and average users spending 20 minutes on Facebook, www.facebook.com, alone, it would seem that Facebook would eventually outgrow the number of available of passwords. That assumption couldn’t be further from the truth. What is troubling to cybersecurity experts like myself is that while even eight character passwords can have up to 457 quadrillion possible combinations, users continue to reuse the same passwords at an alarming rate. Password reuse always makes the job of a hacker infinitely easier. Instead of using brute force guessing attacks that can take hours, days, and even months, hackers can simply apply every cracked password they come upon first, saving them years of potential hacking. So why is Facebook getting in on this lucrative password black market?

Facebook Is Buying Your Passwords from Hackers

Facebook’s Chief Security Officer Alex Stamos, speaking at the Web Summit in Lisbon, revealed how the social network giant regularly buys stolen passwords on the Dark Web, a portion of the Internet that is not indexed by standard search engines and generally attributed to hacking and illegal cyber activities. According to Stamos, password reuse is the number No.1  cause of harm on the Internet.


“The reuse of passwords is the No. 1 cause of harm on the Internet,” say Alex Stamos, chief security officer, Facebook.

He went on to say this practice of buying reused passwords has allowed the company to alert tens of millions of users that they were using bad or insecure passwords. By purchasing passwords from hackers and comparing them to their own encrypted database, Facebook can figure out what passwords you may have already used somewhere else on the Web. According to estimates, 59% of Americans reuse the same password across multiple sites. By warning users directly and forcing them to create new passwords, Facebook could prevent millions of account breaches.

The question that immediately comes to my mind is: Does Facebook know your password then? Not exactly. Facebook implements a one-way hash function, which is an cryptographic algorithm turning an arbitrary length input into a fixed length binary value. It’s like a digital signature to store a hash value of the actual password instead of the actual password. This basically means Facebook has something analogous to an alias of your actual password, which is safer than storing the actual password. But what if the hacker already knows your password? Is it too late?

Facebook’s Built-In Authenticator

Every social media platform has been hacked and suffered a compromise to some degree. The ones we hear about make headlines, but most don’t. Facebook has integrated a built-in authenticator into its mobile app. Yet, many do not take advantage of this secure login method even though it is straightforward and easy to implement. First, it is important to note you do not need to use a third-party app to have two-step authentication in order to securely log into your Facebook account. Facebook educates users on the importance of long, strong, and unique passwords to keep their account safe. But since many users hesitate to implement anything that might slow them down, such as two-step authentication, many companies do not push the issue too hard. If users find the extra step annoying, they will not use the platform so ease of use is always key.

Once enabled, the Facebook authenticator simply works behind the scenes. Anytime someone attempts to log into your Facebook account from a mobile device, a one-time temporary code will be sent via SMS text to the device you initially used to set up your two-step authentication. So if a hacker tries to log into your Facebook account from an IP address different from yours, they will need to have this time sensitive code generated by the Facebook app. And this code is only sent one time to your mobile device and expires quickly. This extra authentication step is slightly inconvenient but extremely effective, providing you are the only one with access to your phone. There are some tricks that hackers could use to intercept this SMS text, but those type of hacks are rare, targeted, and expensive.

 So Many Unique Passwords

If you find it challenging to remember passwords as I do, I recommend a little black book that you keep in a secure place to store all of your long, strong, and unique passwords. Another increasingly popular solution is using password managers such as Dashlane (my personal favorite), LastPass, or 1Password. Password managers like these allow you to securely manage numerous complex passwords with relative ease. The tradeoff is that your master key to access all of your passwords is still a single point of entry—so make sure that one is an exceptionally strong password.

It’s no secret that I am not a fan of Facebook’s data mining and privacy policies, but I am also not a regular user. So it’s hard for me to see the value that users willingly trade for possible privacy and security issues. I do appreciate that Facebook is proactive in both educating users on security issues that affect us all and putting cybersecurity systems in place before big breaches and not just after they occur.

Scott Schober, BVS president/CEO, cybersecurity expert, author of Hacked Again www.ScottSchober.com