In the course of Facebook review, Facebook has been looking at the ways Facebook store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them. There is nothing more important to Facebook than protecting people’s information, and Facebook will continue making improvements as part of Facebook ongoing security efforts at Facebook.
How Facebook Protect People’s Passwords
In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them. In security terms, Facebook “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets Facebook irreversibly replace your actual password with a random set of characters. With this technique, Facebook can validate that a person is logging in with the correct password without actually having to store the password in plain text.
Because Facebook knows that people may share, reuse or have their passwords stolen, we’ve built security measures to help protect people’s accounts:
We use a variety of signals to detect suspicious activity. For example, even if a password is entered correctly, Facebook will treat it differently if Facebook detects that it is being entered from an unrecognized device or from an unusual location. When Facebook see a suspicious login attempt, we’ll ask an additional verification question to prove that the person is the real account owner.
People can also sign up to receive alerts about unrecognized logins.
Knowing some people reuse passwords across different services, Facebook keeps a close eye on data breach announcements from other organizations and publicly posted databases of stolen credentials. Facebook check if stolen email and password combinations match the same credentials being used on Facebook. If Facebook finds a match, we’ll notify you next time you login and guide you through changing your password.
To minimize the reliance on passwords, Facebook introduced the ability to register a physical security key to your account, so the next time you log in you’ll simply tap a small hardware device that goes in the USB drive of your computer. This measure is particularly critical for high-risk users including journalists, activists, political campaigns and public figures.
Securing Your Account
While no passwords were exposed externally and Facebook didn’t find any evidence of abuse to date, here are some steps you can take to keep your account secure:
You can change your password in your settings on Facebook and Instagram. Avoid reusing passwords across different services.
Pick strong and complex passwords for all your accounts. Password manager apps can help.
Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, Facebook will ask for a security code or to tap your security key to verify that it is you.
For more information on how to keep your Facebook account secure, please visit facebook.com/about/security.