Facebook has just admitted that it has found many places – hundreds of millions of places, maybe – where it saved users’ passwords to disk in raw, unencrypted form.
In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as
379f1531753a7c43ab4f4faace212451, anyone looking at the stored data will see the actual password, right there, just like that.
123456789, or that:
mypassword99, or that:
Plaintext passwords used to be the rule, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years, a bit like drink-driving has become not only technically illegal but also outright unacceptable on the road.
In other words, it used to be the norm; then it was the thing you only did if you thought you wouldn’t get caught; and today it’s something that gets the book thrown at you, given that it’s so easy to get it right and so risky to get it wrong.
How did Facebook make such a basic mistake?
The good news is that the wrongly stored passwords don’t seem to be part of Facebook’s externally-accessible authentication system.
In other words, the Facebook gateway servers that let outside users log in aren’t festooned with raw copies of everyone’s passwords.
Instead, it looks as though some Facebook programmers have, over the years – back to 2012, according to cybersecurity journalist Brian Krebs – been careless when writing logfile entries.
In other words, instead of securely disposing of password data from memory after it’s been used to verify a login, they’ve allowed that data to stick around for a while, where it’s ended up in one or more logfiles where it simply didn’t need to be recorded, and shouldn’t have been.
It’s OK to keep access data such as username, timestamp, browser type, country and so on…
…but programmers are duty bound to dispose of data carefully and promptly if it isn’t supposed to be stored after it’s served its purpose.
The idea is simple: if you bump password data out of memory the instant that you no longer absolutely require it, then no one else can accidentally leak it later on.
Simply put, you can’t lose data you don’t have.