Facebook Introduces Disposable Passwords

Accessing Facebook from a public computer or Internet cafe can now be done more securely.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 12, 2010

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Moving to enhance online security, Facebook on Tuesday said that it will soon offer users the ability to receive one-time passwords on their mobile phones and that it has already enabled the ability to sign out of Facebook remotely.

"[W]e're launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports," said Facebook product manager Jake Brill in a blog post. "If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."

Passwords have long been considered the weak link in computer security, due to widespread disinterest in trying to remember passwords that are long enough and complicated enough to defy brute force attacks. Passwords that are too short or are based on words in dictionaries can generally be defeated by automated guessing attacks.

A survey released on Tuesday by Internet security company Webroot underscores the problems with passwords.

The company found that 47% of Facebook users, among the over 2,500 people surveyed, use their Facebook password for other online sites and 62% of Facebook users never change their passwords. It also found that only 16% of respondents bother to create passwords longer than 10 characters and that 41% of respondents have shared passwords with at least one person over the past year.

Facebook's decision to offer disposable passwords at least provides stronger security for those who want to make the effort. In a few weeks, as part of a gradual roll-out, Facebook users will be able to text "otp" to 32665 on a mobile phone and immediately receive a password that will work one time and will expire in 20 minutes.

This should help ensure that anyone shoulder-surfing while you log in to your Facebook account from a cafe won't be able spy your regular password and later hijack your account.

Facebook is also providing users with an overview of recent login activity under the Account Security section of their Account Settings page. This recent login list offers a way to see whether one's account has been accessed from an unexpected location. It also offers the ability to remotely close sessions that one may have forgotten to terminate, such as when one logs into Facebook through a friend's phone.

Facebook is not alone in addressing cloud security concerns. Google provides users with Gmail session activity information and last month added two-step verification to Google Apps Premiere, Government, and Education edition users.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights