Facebook Privacy Guide

It's actually pretty good.

Also note that the site is redesigning its privacy. As we learned from Microsoft, nothing motivates a company to improve its security like competition.

Posted on August 30, 2011 at 12:24 PM • 27 Comments

Comments

MichaelAugust 30, 2011 12:59 PM

Imagine your pet’s name is Buddy, you live on State Street, you’re 15, and you like to stargaze at night. A good password for you would be budstat15*. Or go for something humorous you can remember. One woman set her work password to remind her of why she went to work, 4da$cash.

No comment.

Brendan KidwellAugust 30, 2011 1:16 PM

I suppose "budstat15*" is a little harder to guess than "buddystate", but still yeah: stop using passwords that came from your LIFE! Ask a computer for random words or syllables.

bobbyAugust 30, 2011 2:45 PM

they could make easy pwds abt things in your life and then run them through a simple caeser cipher. Then follow the usual rules for good passwords. In that way its easy to recall.

abbyAugust 30, 2011 3:33 PM

Like so many things, xkcd has it right:
http://xkcd.com/936/

The mistake: teaching people to make short passwords. So if Facebook is serious about security, they'll allow (or even require) very long passphrases.

BilateralropeAugust 30, 2011 3:38 PM

As first, I was too lazy to enter details on Facebook beyond my name. Any messages I post there are things I don't care about others knowing.

The more I've heard about Facebooks security, the more I'm convinced that my laziness is the correct course of action as they can't share information I'm too lazy to give them.

JonAugust 30, 2011 4:24 PM

More seriously, every previous time Facebook has 'revamped its security' all the 'permit everyone to see this' boxes wind up, by default, checked. Unchecking them has been quite a chore.

Why should we trust them any more this time?

J.


MikeAugust 30, 2011 6:36 PM

How would you go about finding this thing on their site..in the interest of not blindly pointing people at PDFs via untrusted URLs?

ThomasAugust 30, 2011 6:52 PM

re: XKCD

Couldn't agree more re: pass-phrases vs. p4$$word5

The trouble is that some interfaces (e.g. mobile phones) make typing long pass-phrases too difficult (y do u thnk sms spk evlvd?)

re: facebook
The stuff they really want you can't lie about.
Who cares if your real name isn't John Smith when they have your social graph, browsing habits, comments, likes and dislikes?

godelAugust 30, 2011 9:04 PM

On this site there's some conflict between what's adequate for the ordinary slob logging onto Facebook, and what's adequate to protect the latest jet fighter plans or RSA's security token seeds.

For a 15 year-old boy, budstat15* is probably just adequate, although one upper case character and a few extra characters on the end would be a help.

It's all down to the cost and time required to break the password, versus the pay-off. Ten characters is where brute forcing starts to cost an attacker some money and time to decode, and the result has to be worth it.

Never mind XKCD, Gibson Research's page is probably more relevant.

https://www.grc.com/haystack.htm

Although my comments above assume that websites are smart enough to use salted hashes to store passwords, and to our shock and amazement, this has turned out not always to be true.

Jonathan WilsonAugust 30, 2011 10:26 PM

What really annoys me re passwords are those times when a site or something has a maximum password length.
One site I use (for a bank) wont let me use more than 10 characters in a password.

SMAugust 31, 2011 1:56 AM

In addition if your computer has a keylog o similar a pass-phrases is more difficult to find than a p4$$word5.

PaeniteoAugust 31, 2011 2:52 AM

@Jonathan Wilson: "One site I use (for a bank) wont let me use more than 10 characters in a password."

The does not have to be bad for security, depending on other measures they take:
http://www.schneier.com/blog/archives/2009/07/strong_web_pass.html

OTOH, there's hardly any reason to limit password length. Such a practice always suggests to me that they store the password in plain instead of hashing it.

PhilAugust 31, 2011 3:12 AM

@Jonathan Wilson
What is even more annoying is a password system that lets you type a password of any length but just takes part of it and ignores the rest without telling you.

I discovered it a few years ago when I mistyped the end of my password to a CVS repository and was still granted access. Then I looked at the documentation and discovered it just uses the first 8 characters of the password and trashes the rest.

CarlosAugust 31, 2011 7:28 AM

@Abby,

Facebook does allow passphrases, or at least really long passwords (with at least 20 chars...) with spaces in them.

As does Google.

AppSecAugust 31, 2011 8:23 AM

What I don't understand:

Why is their OTP time expiration set to 20 min??

That makes absolutely no sense. I'm not going to request a password and then not login immediately after that. Even if you factor in a little time delay there's no reason to have it more than 5 minutes.

Has anyone used this system from them?

AtelesAugust 31, 2011 9:35 AM

ITWorld has an interesting article here about how it's possible to tag someone and block them from seeing the tag, amongst other issues with the new system.

JonAugust 31, 2011 6:26 PM

Many of my passwords wind up as acronyms of "pass phrases". They do turn out to the easiest to remember.

They are, however, much more vulnerable to rainbow table attacks than real pass phrases.

J.

Ross QuirkzSeptember 1, 2011 10:41 AM

@Phil "lets you type a password of any length but just takes part of it and ignores the rest without telling you."

I remember using some forums software that didn't like certain characters, such as the @ symbol in passwords. Rather than saying the password was bad, it just dropped those characters from the middle of the word. I can't even remember how I thought to try the password without the @, to finally be able to log in.

Dirk PraetSeptember 1, 2011 6:42 PM

Drawing from my own experience with Facebook users, the entire security guide is pretty much useless in the sense that 99% of them claim they have nothing to hide anyway so really couldn't be bothered less. Mileage of people living in countries with oppressive regimes (Syria, China, Iran, Libya, Bahrain etc.) may vary.

pessimisticSeptember 6, 2011 7:04 AM

It is great that they improve their game, but I never trust them anymore after my friend's account got hacked (and she being dumb with password) her accounts as well.

it was totally impossible to get facebook to take any action, and the hacker was able to troll with the account for a month. Emails were easy to reclaim as google for example have a reasonable it support. Endofwhinystory();

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..