Apparently Facebook has decided to route all your emails through their servers first, replacing your usual contact information with an @facebook email address. My usual gmail address has been replaced with, horror of horrors, this:
The fix? Edit your contact information, and select the “shown on timeline” for your real email address, and hide the Facebook proxy from ever being known.
You may have read about the tens of millions of usernames and passwords which have been recently been compromised/hacked/leaked on major websites in the last few weeks. If not, here are a few of the stories:
- 30 million passwords leaked from LinkedIn due to unsalted SHA-1 hashes stored centrally.
- 6 million passwords hacked at Last.FM, the popular music discovery service.
- 1.5 million passwords leaked from eHarmony.
In the last year other services have experience serious security breaches:
- 100 million accounts compromised on the Sony Playstation Network (PSN). Sony offered free credit monitoring and games to all PSN users to compensate them, a major departure from the typical “change your password” / sweep it under the rug response.
- All RSA SecureID tokens were compromised by the theft of RSA intellectual property and cryptographic keys. RSA tokens are used by most enterprises to login remotely as part of multi-factor authentication scheme.
How can you protect yourself?
Signup for a service like 1Password or LastPass, which offer convenient browser extensions. They generate unique passwords per website that you user, so the breach of security at Facebook won’t affect your password on Mint.
How can Web Developers protect users?
Move to standardized authentication methods, like OpenID or Facebook/Twitter/Google login integration. If the authentication mechanism is outsourced, your customers and users don’t need to worry about how you store their passwords.
If you absolutely want to store user passwords, please read How to Safely Store a Password and use bcrypt to do the heavy lifting. Then even if your login/password database is compromised, nothing will come of it.
I was using my GMail today and was surprised to see a little link that read “Last account activity: 1 minute ago at this IP (22.214.171.124). Details.” If you click on Details, it brings up a popup with the latest activity on your account–who accessed your email last, and from where:
Activity on this account: This feature provides information about the last activity on this mail account and any concurrent activity.
GMail now tells you with timestamps (a) what kind of thing (browser, IMAP client, etc) accessed your email (b) when it happened, and (c) what the IP address was. The only thing lacking is a log of what content precisely was downloaded. So finally Google has solved the “is my significant other spying on me” or “do my parents secretly read my email” questions.