Beyond facebook's data breach
Last week’s information about the breach that affected 50 millions of facebook users has been largely discussed in the press (see techcrunch, wired or eff.org).
More details will be provided about this breach in the coming weeks. In the mean time, it is interesting to take a step back and remind oursleves of how passwords should be stored by any online service. The seminal paper on storing passwords securely is Morris and Thompson’s Password Security: A Case History published in 1979. This paper argues that password should never stored in plain text in any file and the only information that should be stored is the result of a non invertible hash function. In this paper and early versions of Unix, the hash function relied on the DES crypto algorithm. This has evolved since DES was not considered to be safe enough. In 1989, Feldmeier and Karn discuss the first decade of this evolution in UNIX Password Security - Ten Years Later. Various web sites provide recommandations on how to store hashed passwords efficiently and securely, see e.g. :
- https://crackstation.net/hashing-security.htm
- https://www.geeksforgeeks.org/store-password-database/https://www.geeksforgeeks.org/store-password-database/
I haven’t seen published technical details on how facebook stores its user’s passwords, but some information about the breach indicates that it also affects the utilisation of facebook credentials to log in other websites and services. During the last years, Facebook, Google, Github and a few other cloud providers have exposed APIs that smaller services can use to authenticate users. This is convenient for the user because they do not need to remember passwords for a large number of services. However, it reminds us that a breach in any of these popular authentication services can have a major impact. The research community has published interesting studies on the security impact of these single-sign on services. Two recent articles include :
- S. Farooqi et al., Measuring and Mitigating OAuth Access Token Abuse by Collusion Networks, IMC’17
- M. Ghasemisharif et al. O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web presented at USENIX ATC’18
If you want to go beyond the generic discussions on facebook’s data breach, these are excellent starting points.