Apparently Facebook has decided to route all your emails through their servers first, replacing your usual contact information with an @facebook email address. My usual gmail address has been replaced with, horror of horrors, this:
The fix? Edit your contact information, and select the “shown on timeline” for your real email address, and hide the Facebook proxy from ever being known.
You may have read about the tens of millions of usernames and passwords which have been recently been compromised/hacked/leaked on major websites in the last few weeks. If not, here are a few of the stories:
- 30 million passwords leaked from LinkedIn due to unsalted SHA-1 hashes stored centrally.
- 6 million passwords hacked at Last.FM, the popular music discovery service.
- 1.5 million passwords leaked from eHarmony.
In the last year other services have experience serious security breaches:
- 100 million accounts compromised on the Sony Playstation Network (PSN). Sony offered free credit monitoring and games to all PSN users to compensate them, a major departure from the typical “change your password” / sweep it under the rug response.
- All RSA SecureID tokens were compromised by the theft of RSA intellectual property and cryptographic keys. RSA tokens are used by most enterprises to login remotely as part of multi-factor authentication scheme.
How can you protect yourself?
Signup for a service like 1Password or LastPass, which offer convenient browser extensions. They generate unique passwords per website that you user, so the breach of security at Facebook won’t affect your password on Mint.
How can Web Developers protect users?
Move to standardized authentication methods, like OpenID or Facebook/Twitter/Google login integration. If the authentication mechanism is outsourced, your customers and users don’t need to worry about how you store their passwords.
If you absolutely want to store user passwords, please read How to Safely Store a Password and use bcrypt to do the heavy lifting. Then even if your login/password database is compromised, nothing will come of it.
I think it’s time to stop reading dealbreaker in my google reader feeds:
Let’s see why:
- Two “continue reading” links
- No full text RSS feed
- An ugly and stupid “follow Dealbreaker” banner that I doubt anyone will ever click
- A gigantic google-style text link ad
We wish the web would allow information to transmit openly, but sites continue to push monetization over content. It’s time to switch!