Facebook Saves passwords. Even old ones.

Have you ever tried to log into Facebook with an old password?

Well, if you haven’t, its probably time to change your password!
But more importantly, you will see this graphic (click to enlarge):


This means:

1. Facebook matched what you submitted with a stored value on their servers.
2. This stored value means they have recorded your old password.
3. We don’t know how long (or how many) they have been storing.

Why does it matter?

A lot of users use the same password for many sites. This alone is major security issue due to the fact that Facebook will CONFIRM an old password that crackers can check against. It can be common practice to save the last known password as some sites use it as a security check to compare against while changing a password. Though usually this logic is at least behind a login, on a profile page. Not the homepage!

But there is something worse here at play: many users cycle passwords. It is an easy way of remembering them.

What is cycling passwords? Well, you have a certain formula, or ‘bank’ of common passwords you use, and maybe you change them around from site to site once in awhile, or you change a value in your formula, say a number here or there. For example, let us say you have a dog named Buddy. And because you won’t forget your dog’s name, you use Buddy8 for your password, then change in to Buddy9 a few months later, or Buddy10 for another site. So now Facebook has a store of not only most (or all) of your major passwords, but a traceable pattern to them.

So theoretically, Facebook can have a database of all (or most of) your common passwords and establish your pattern for logging into sites across the internet.

That you use.

For all sites.

For you data guys:

take 10 people on Facebook for the past 5 years who have changed their password once a year:

Now let us assume there is a security breach – too often a question of ‘when‘, not ‘if‘. We now have not 10 passwords to hack into the most popular site and possible others, but 50! Furthermore, all 50 are linked to a time stamp of when they were changed. Even if the other forty don’t currently work anywhere, they supply a possible formula to find out other passwords, and possible FUTURE combinations. Even if the breach is known quickly and damage control is successful it doesn’t matter. It only provides a false sense of security as the most important data, unbeknownst to the end user, has been leaked.

This is another reason password diversification is imperative. Not only do you want to keep important passwords very diverse, but you need to rethink your strategy if you cycle passwords. There are many programs out there that will help you make a random, thus more secure, password.

So what do you think about Facebook, or any site for that matter, storing your old passwords?