There’s a reason you’re not supposed to use same password for all of your accounts — large-scale data breachers are all too common. But in case you still refuse to abide by logic and reason (and many of us do), Facebook now uses those stolen-passwords-made-public to tell you what an idiot you’re being. And to keep you safe.
Basically, Facebook is taking advantage of the fact that hackers will often post their stolen cache of data on sites like Pastebin for all the world to see. So whenever a hoard of usernames and passwords leak from other sites, Facebook goes in, swipes the stolen credentials, and checks it against its own user database. Should it find two sets that match, the user will find something like this alarming little notification upon his or her next login:
But don’t worry — this doesn’t necessarily mean that Face knows what your actual password is. As the company explained in today’s blog post:
This is a completely automated process that doesn’t require us to know or store your actual Facebook password in an unhashed form. In other words, no one here has your plain text password. To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time.
Instead of comparing two sets of plain-text passwords and usernames, Facebook is comparing their encrypted counterparts. So while that does let them figure out whether or not user credentials leaked from another site matched your own, they still don’t know what those user credentials actually are.
Of course, you shouldn’t be using the same password across multiple accounts in the first place. And two-factor authentication is almost always the best preemptive defence you can take. Still, if the worst does happen, and your password for every account you’ve had since middle school does end up on the big, wide internet, at least it’s being used for some good.
Picture: Shutterstock/2nix Studio