Ignore Facebook’s security advice

Chris Davies - Mar 21, 2019, 4:17 pm CDT
1
Ignore Facebook’s security advice

It’s time to change your Facebook password. Again. The social network argues today’s revelation that “hundreds of millions” of users’ passwords were saved, in plaintext and unprotected, where thousands of employees could have accessed them, isn’t bad enough that those users affected should be forced to update their security settings. I don’t agree.

Facebook’s goof saw engineers within the company create applications that logged user passwords in plaintext. The company spotted it happening in January of this year, the side-effect of an unrelated security check. However the logging apparently went back, in some cases, to as early as 2012.

Seven years is a long time in tech: long enough, in fact, for millions of users to be impacted. It wasn’t just Facebook, either: Instagram users were also caught in the inadvertent net. Facebook currently says that it expects hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users to be affected in total.

It’ll notify them, but it won’t force them to reset their passwords. Unlike last September, when Facebook opted to log 90 million users out of their accounts and demanded they create a new password before they could log back in, this time around the social network is taking a less demanding approach. You’ll get an alert that your password was one of the affected, but it’s up to you whether you change it or not.

According to Facebook’s Scott Renfro, the company doesn’t think this password screw-up warrants a forced password reset. “We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse,” he argued.

Of course, it’s in Facebook’s best interest to make accessing the site as low-hassle – and avoid as much potential frustration as possible – as it can. Active eyes make for more ad impressions, after all. If you’re faced with a prompt to change your password and a confession that your security was compromised, rather than your newsfeed, you might not be so keen to keep browsing.

Facebook hasn’t said – and likely would never say – how many people, when faced with that message last September, took it as a forced social detox and either scaled back or ceased their use of the site altogether. Perhaps, if the company didn’t have such an established record of cavalier treatment of user privacy, we’d be a little more likely to trust it when it advises us on what situations are worth getting paranoid about password security.

Personally, with claims that thousands of Facebook employees had potential access to the plaintext password logs, and despite Facebook’s insistence that it has found no evidence of misuse, my advice is to take a more proactive approach to your data. Changing your password is simple. If you’re using a desktop browser, click the arrow in the upper right corner of Facebook, choose “Settings” and then “Security and login” from the sidebar. The “Change password” option is in the list on the right.

If you’re using the Facebook app on your phone or tablet, tap the icon in the lower right corner, scroll down to “Settings” and then choose “Security and Login.” The “Change password” is one of the first options on the page.

If you’re not using a password manager – which should be able to create you a strong, unique password (and then help you remember it) – the general guidance is to use a new, unique password that you haven’t used on a different site or service. Use a mixture of uppercase and lowercase letters, numbers, and symbols, and avoid anything obvious like your name, address, date or birth, or something people might be able to guess.

Maybe I’m too paranoid. Perhaps Facebook does deserve the benefit of the doubt, and that its ongoing investigation won’t turn up any misuse of the plaintext password logs that should never have existed in the first place. Or – and perhaps this is the advice we should all be taking – it’s time to hit delete on our Facebook accounts altogether, and avoid any future security lapses in the most obvious way.

Whether or not you opt for that nuclear option, one thing is clear. Your privacy is something you alone can take responsibility for, no matter what Facebook – or others – tell you they’re committed to. And while Facebook’s official message today is that this, the latest in a series of security messes, isn’t a big deal, it’s at the very least another wake-up call that the security of your life online is only as safe as the care you put into protecting it.


Must Read Bits & Bytes