Facebook Privacy Guide
It’s actually pretty good.
Also note that the site is redesigning its privacy. As we learned from Microsoft, nothing motivates a company to improve its security like competition.
Comments
Brendan Kidwell • August 30, 2011 1:16 PM
I suppose “budstat15*” is a little harder to guess than “buddystate”, but still yeah: stop using passwords that came from your LIFE! Ask a computer for random words or syllables.
kingsnake • August 30, 2011 2:25 PM
Best form of Facebook security is not to use it.
bobby • August 30, 2011 2:45 PM
they could make easy pwds abt things in your life and then run them through a simple caeser cipher. Then follow the usual rules for good passwords. In that way its easy to recall.
abby • August 30, 2011 3:33 PM
Like so many things, xkcd has it right:
http://xkcd.com/936/
The mistake: teaching people to make short passwords. So if Facebook is serious about security, they’ll allow (or even require) very long passphrases.
Bilateralrope • August 30, 2011 3:38 PM
As first, I was too lazy to enter details on Facebook beyond my name. Any messages I post there are things I don’t care about others knowing.
The more I’ve heard about Facebooks security, the more I’m convinced that my laziness is the correct course of action as they can’t share information I’m too lazy to give them.
Total Moron • August 30, 2011 3:44 PM
What?!? Facebook is not private and secure?!?!?
Jon • August 30, 2011 4:24 PM
More seriously, every previous time Facebook has ‘revamped its security’ all the ‘permit everyone to see this’ boxes wind up, by default, checked. Unchecking them has been quite a chore.
Why should we trust them any more this time?
J.
kingsnake • August 30, 2011 4:58 PM
Jon, should Charlie Brown trust Lucy this time?
http://2.bp.blogspot.com/_QjQyXoZjMDg/TC_CBiiSzlI/AAAAAAAAAds/8LJ8mE-iPns/s1600/lucy+football.jpg
http://xkcd.com/936/
Best line from this: “Difficulty to remember: You’ve already memorized it” 😉
Mike • August 30, 2011 6:36 PM
How would you go about finding this thing on their site..in the interest of not blindly pointing people at PDFs via untrusted URLs?
Thomas • August 30, 2011 6:52 PM
re: XKCD
Couldn’t agree more re: pass-phrases vs. p4$$word5
The trouble is that some interfaces (e.g. mobile phones) make typing long pass-phrases too difficult (y do u thnk sms spk evlvd?)
re: facebook
The stuff they really want you can’t lie about.
Who cares if your real name isn’t John Smith when they have your social graph, browsing habits, comments, likes and dislikes?
Seth • August 30, 2011 7:00 PM
@Mike: https://www.facebook.com/safety/attachment/Guide%20to%20Facebook%20Security.pdf is an untrusted URL now to you? Then searching for it on facebook.com (!!) is not going help much at all
godel • August 30, 2011 9:04 PM
On this site there’s some conflict between what’s adequate for the ordinary slob logging onto Facebook, and what’s adequate to protect the latest jet fighter plans or RSA’s security token seeds.
For a 15 year-old boy, budstat15* is probably just adequate, although one upper case character and a few extra characters on the end would be a help.
It’s all down to the cost and time required to break the password, versus the pay-off. Ten characters is where brute forcing starts to cost an attacker some money and time to decode, and the result has to be worth it.
Never mind XKCD, Gibson Research’s page is probably more relevant.
https://www.grc.com/haystack.htm
Although my comments above assume that websites are smart enough to use salted hashes to store passwords, and to our shock and amazement, this has turned out not always to be true.
Jonathan Wilson • August 30, 2011 10:26 PM
What really annoys me re passwords are those times when a site or something has a maximum password length.
One site I use (for a bank) wont let me use more than 10 characters in a password.
In addition if your computer has a keylog o similar a pass-phrases is more difficult to find than a p4$$word5.
Paeniteo • August 31, 2011 2:52 AM
@Jonathan Wilson: “One site I use (for a bank) wont let me use more than 10 characters in a password.”
The does not have to be bad for security, depending on other measures they take:
http://www.schneier.com/blog/archives/2009/07/strong_web_pass.html
OTOH, there’s hardly any reason to limit password length. Such a practice always suggests to me that they store the password in plain instead of hashing it.
Phil • August 31, 2011 3:12 AM
@Jonathan Wilson
What is even more annoying is a password system that lets you type a password of any length but just takes part of it and ignores the rest without telling you.
I discovered it a few years ago when I mistyped the end of my password to a CVS repository and was still granted access. Then I looked at the documentation and discovered it just uses the first 8 characters of the password and trashes the rest.
Carlos • August 31, 2011 7:28 AM
@Abby,
Facebook does allow passphrases, or at least really long passwords (with at least 20 chars…) with spaces in them.
As does Google.
AppSec • August 31, 2011 8:23 AM
What I don’t understand:
Why is their OTP time expiration set to 20 min??
That makes absolutely no sense. I’m not going to request a password and then not login immediately after that. Even if you factor in a little time delay there’s no reason to have it more than 5 minutes.
Has anyone used this system from them?
Ateles • August 31, 2011 9:35 AM
ITWorld has an interesting article here about how it’s possible to tag someone and block them from seeing the tag, amongst other issues with the new system.
@decobydesign • August 31, 2011 9:43 AM
Thanks for the heads up – link posted to my organisation’s intranet.
Jan Doggen • August 31, 2011 3:45 PM
For a more independant one:
http://socialmediasecurity.com/downloads/Facebook_Privacy_and_Security_Guide.pdf
This one is still maintained and gives a decent ‘walkthrough’ for all the relevant settings.
Jon • August 31, 2011 6:26 PM
Many of my passwords wind up as acronyms of “pass phrases”. They do turn out to the easiest to remember.
They are, however, much more vulnerable to rainbow table attacks than real pass phrases.
J.
Ross Quirkz • September 1, 2011 10:41 AM
@Phil “lets you type a password of any length but just takes part of it and ignores the rest without telling you.”
I remember using some forums software that didn’t like certain characters, such as the @ symbol in passwords. Rather than saying the password was bad, it just dropped those characters from the middle of the word. I can’t even remember how I thought to try the password without the @, to finally be able to log in.
Dirk Praet • September 1, 2011 6:42 PM
Drawing from my own experience with Facebook users, the entire security guide is pretty much useless in the sense that 99% of them claim they have nothing to hide anyway so really couldn’t be bothered less. Mileage of people living in countries with oppressive regimes (Syria, China, Iran, Libya, Bahrain etc.) may vary.
pessimistic • September 6, 2011 7:04 AM
It is great that they improve their game, but I never trust them anymore after my friend’s account got hacked (and she being dumb with password) her accounts as well.
it was totally impossible to get facebook to take any action, and the hacker was able to troll with the account for a month. Emails were easy to reclaim as google for example have a reasonable it support. Endofwhinystory();
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Michael • August 30, 2011 12:59 PM
No comment.