As much of the digital world deals with leaks and hacks, Facebook knows that keeping user data secure is the most important thing it can do.
The company’s security team explained in a blog post, written by Security Engineer Chris Long, how they keep the password safe:
Our team wanted to do something to improve this situation, so we built a system dedicated to further securing people’s Facebook accounts by actively looking for these public postings, analyzing them, and then notifying people when we discover that their credentials have shown up elsewhere on the Internet. To do this, we monitor a selection of different ‘paste’ sites for stolen credentials and watch for reports of large scale data breaches. We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook. This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time. If we find a match, we’ll notify you the next time you log in and guide you through a process to change your password.
Long also explained what Facebook does when a set of stolen credentials are reported. First, Facebook passes the data into a program that parses it into a standardized format.
Then an automated system checks each data point against Facebook’s internal databases to see if any of the email addresses and hashed passwords match valid login information. “Since Facebook stores passwords securely as hashes,” Long wrote, “we can’t simply compare a password directly to the database. We need to hash it first and compare the hashes.”
If the email and hashed password combination doesn’t match, no action is taken. This indicates that the stolen password is different than the password you use for Facebook, so an attacker wouldn’t be able to use that password to tap into Facebook. If the email address and hash combination matches, Facebook will notify the user next time they log in, guiding them through a process to change the password.
Readers: How often has your password been compromised?