Facebook Strengthens Password Recovery Process

As a regular reader of this blog, you are probably using a long, unique, 20 character password with two-factor authentication, and a password manager to keep it all straight.  But let’s say that you fall for a phishing scam, and give away the password to your email account.  The attacker can now use your email account to request password reset emails from your other online accounts, and you have yourself one big breach.

Password reset procedures vary from one website or service to another, but almost without exception, the process is weak and easy for an attacker to overcome.  The scenario above is bad enough, with your hijacked inbox awash in emails with password reset links.  But how about password reset systems that require you to provide answers to secret questions?  Unfortunately, many of the provided questions can be answered with a little research on Facebook, LinkedIn, or Ancestry.com (what is your grandmother’s middle name?)

Facebook is offering a password reset service called “delegated recovery.”  Facebook generates and stores an encrypted recovery token for a website that is registered by a Facebook user, and this token is used to reset a lost password.

Let’s say that I have registered my Amazon.com account with Facebook, but now I have forgotten my password and need to reset it.  I log into Facebook and send a token to Amazon that is time  stamped and signed by Amazon’s private key.  And now I am able to access my Amazon account again.

Currently, only GitHub is set up to use Facebook’s Delegated Recovery.  So no need to rush out and sign up until more sites are enrolled.  Using Facebook this way means that you will want to make sure your security settings on Facebook are properly configured. I expect that we will see other avenues for delegated recovery from companies such as LastPass and YubiCo.  This is definitely an idea that is long overdue.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.