Schneier on Security
A blog covering security and security technology.
« Details of the RSA Hack |
| The Effects of Social Media on Undercover Policing »
August 30, 2011
Facebook Privacy Guide
It's actually pretty good.
Also note that the site is redesigning its privacy. As we learned from Microsoft, nothing motivates a company to improve its security like competition.
Posted on August 30, 2011 at 12:24 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Imagine your pet’s name is Buddy, you live on State Street, you’re 15, and you like to stargaze
at night. A good password for you would be budstat15*. Or go for something humorous you can remember. One woman
set her work password to remind her of why she went to work, 4da$cash.
I suppose "budstat15*" is a little harder to guess than "buddystate", but still yeah: stop using passwords that came from your LIFE! Ask a computer for random words or syllables.
Best form of Facebook security is not to use it.
they could make easy pwds abt things in your life and then run them through a simple caeser cipher. Then follow the usual rules for good passwords. In that way its easy to recall.
Like so many things, xkcd has it right:
The mistake: teaching people to make short passwords. So if Facebook is serious about security, they'll allow (or even require) very long passphrases.
As first, I was too lazy to enter details on Facebook beyond my name. Any messages I post there are things I don't care about others knowing.
The more I've heard about Facebooks security, the more I'm convinced that my laziness is the correct course of action as they can't share information I'm too lazy to give them.
What?!? Facebook is not private and secure?!?!?
More seriously, every previous time Facebook has 'revamped its security' all the 'permit everyone to see this' boxes wind up, by default, checked. Unchecking them has been quite a chore.
Why should we trust them any more this time?
How would you go about finding this thing on their site..in the interest of not blindly pointing people at PDFs via untrusted URLs?
Couldn't agree more re: pass-phrases vs. p4$$word5
The trouble is that some interfaces (e.g. mobile phones) make typing long pass-phrases too difficult (y do u thnk sms spk evlvd?)
The stuff they really want you can't lie about.
Who cares if your real name isn't John Smith when they have your social graph, browsing habits, comments, likes and dislikes?
On this site there's some conflict between what's adequate for the ordinary slob logging onto Facebook, and what's adequate to protect the latest jet fighter plans or RSA's security token seeds.
For a 15 year-old boy, budstat15* is probably just adequate, although one upper case character and a few extra characters on the end would be a help.
It's all down to the cost and time required to break the password, versus the pay-off. Ten characters is where brute forcing starts to cost an attacker some money and time to decode, and the result has to be worth it.
Never mind XKCD, Gibson Research's page is probably more relevant.
Although my comments above assume that websites are smart enough to use salted hashes to store passwords, and to our shock and amazement, this has turned out not always to be true.
What really annoys me re passwords are those times when a site or something has a maximum password length.
One site I use (for a bank) wont let me use more than 10 characters in a password.
In addition if your computer has a keylog o similar a pass-phrases is more difficult to find than a p4$$word5.
@Jonathan Wilson: "One site I use (for a bank) wont let me use more than 10 characters in a password."
The does not have to be bad for security, depending on other measures they take:
OTOH, there's hardly any reason to limit password length. Such a practice always suggests to me that they store the password in plain instead of hashing it.
What is even more annoying is a password system that lets you type a password of any length but just takes part of it and ignores the rest without telling you.
I discovered it a few years ago when I mistyped the end of my password to a CVS repository and was still granted access. Then I looked at the documentation and discovered it just uses the first 8 characters of the password and trashes the rest.
Facebook does allow passphrases, or at least really long passwords (with at least 20 chars...) with spaces in them.
As does Google.
What I don't understand:
Why is their OTP time expiration set to 20 min??
That makes absolutely no sense. I'm not going to request a password and then not login immediately after that. Even if you factor in a little time delay there's no reason to have it more than 5 minutes.
Has anyone used this system from them?
ITWorld has an interesting article here about how it's possible to tag someone and block them from seeing the tag, amongst other issues with the new system.
Thanks for the heads up - link posted to my organisation's intranet.
Many of my passwords wind up as acronyms of "pass phrases". They do turn out to the easiest to remember.
They are, however, much more vulnerable to rainbow table attacks than real pass phrases.
@Phil "lets you type a password of any length but just takes part of it and ignores the rest without telling you."
I remember using some forums software that didn't like certain characters, such as the @ symbol in passwords. Rather than saying the password was bad, it just dropped those characters from the middle of the word. I can't even remember how I thought to try the password without the @, to finally be able to log in.
Drawing from my own experience with Facebook users, the entire security guide is pretty much useless in the sense that 99% of them claim they have nothing to hide anyway so really couldn't be bothered less. Mileage of people living in countries with oppressive regimes (Syria, China, Iran, Libya, Bahrain etc.) may vary.
It is great that they improve their game, but I never trust them anymore after my friend's account got hacked (and she being dumb with password) her accounts as well.
it was totally impossible to get facebook to take any action, and the hacker was able to troll with the account for a month. Emails were easy to reclaim as google for example have a reasonable it support. Endofwhinystory();
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.