Facebook, Zuckerberg, and Plain Text Passwords
Speaking about the public allegations that Mark Zuckerberg, alleged founder of Facebook, hacked into Harvard school email accounts of rivals and school journalists Kevin Rose said that the allegations don’t even sound technically possible. The way the allegations are described, Mark Zuckerberg used the passwords of Facebook users he wanted to track on other systems. Since many online users tend to have one or two different username and/or passwords, if you have the password for on online service you might guess a the login password to another service for that same user. Clear text passwords are a real security concern. On This Week in Tech # 238, Kevin said, “I doesn’t make sense, I don’t see it happening. … Nobody really stores passwords in plain text anymore, I can’t imagine Facebook would have done that.” I’m a fan of Kevin’s Diggnation podcast but I have to call him on this social media bullshit on technical grounds. It might be that his social graph is clouding his judgment. The sad truth is that even today, some large companies have be called out for storing passwords in clear text. In fact, a long time sponsor of Diggnation, Go Daddy was recently accused of storing passwords in plain, clear, simple to read text. Surely, he must have known or heard of the Go Daddy privacy mishap. His explanation that no one really uses clear text passwords anymore is very naive, it sounds like the advice given in the many tech conferences that Kevin is known to attend. I very much doubt that some “copy and paste” programmer in some college dorm room in 2004 would develop a website with 2010 best practices and user experience.
I would hope that Facebook does not employ practices such as these now, but I sure don’t trust them with my account and do the bare minimum on Facebook that is required to keep up with friends. An anonymous Facebook developer in an interview stated that any Facebook developer can impersonate any user and all data is unencrypted so any developer can possible run SQL queries to look up your data.
You have to think about it, for a social networking site, why can’t you befriend it’s founder, Mark Zuckerberg, like in other sites. I mean, Tom is in my top eight on MySpace. Don’t trust the 800 pound gorilla as far as you can trow it especially if it is riding the elephant in the room.