Home / Software & Gaming / Security / Forget your mother’s maiden name, Facebook is fixing password resets

Forget your mother’s maiden name, Facebook is fixing password resets

Facebook is looking to end one of the biggest problems in web security: password recovery. To that end, it has announced a new way to recover your password for your Github account, which is successful could spell the end of secret questions, recovery emails and provide much greater security in the future.

Recovering a password when you've forgotten it is often either too easy and not very secure, or a long-slog to prove you're you. To get around that, Facebook has announced a new token system in partnership with Github. If you forget your password for the latter service, instead of jumping through the usual hoops, you can instead use a Facebook/Github recovery token which you've set up previously.

The system works by you setting up a recovery token before you forget your password, as a preventative measure. If at some point you forget your password, you head to Facebook and have it send your pre-registered recovery token. That token does not transfer any information about you, but allows Facebook to give the digital thumbs up that you are indeed, you.

 

Although this sort of method relies on strong security with your Facebook account, it does eliminate problems associated with personal email security and secret questions, the latter of which can often be guessed without much difficulty. Because the tokens sent in the Facebook recovery system are encrypted and don't contain personal information either, its' technically safer than an email or SMS recovery, which could be intercepted.

Compromised Email accounts can also be used to gain access to a number of different accounts. That won't be possible in the case of Github's new system. As Ars explains, the token system can also be rate limited, which means that if someone does compromise your account somewhere, they can't request a tonne of tokens at once, thereby potentially only compromising one or two of your online accounts, rather than all of them at once.

Google research highlighted the dangers of secret questions back in 2015. Source: Google

By linking them together too, services can collaborate on security and highlight instances where mass password recoveries are requested, suggesting accounts are in the process of being cracked open.

As it stands though, this service only works with Github, but Facebook hopes to expand its reach in the future and encourages others to adopt the token system too.

Discuss on our Facebook page, HERE.

KitGuru Says: What do you guys think of this security measure? It seems like a nice feature, but it won't be much use for those who don't have an account with Facebook. It also suggests Facebook and others could keep track of your logins, which some may not like.

Become a Patron!

Check Also

Nvidia driver update fixes crucial security vulnerabilities

Nvidia GeForce, RTX, Quadro, NVS and Tesla GPU users will want to update their drivers soon. Nvidia has pushed out a hotfix with a number of critical security fixes that if left unfixed, could allow for unauthorised access to systems. 

2 comments

  1. Travis (Barrhaven)

    Eh, I don’t see a token system being all that secure. If it’s pre-determined before you lose your password, what’s stopping someone from grabbing the token? Another site’s security (or lack of)? As mentioned, it also means you need an account at a partner service such as facebook, and what happens if you shutter your account at the partner service?

    We have single sign-in options. We have multiple single sign-in options, some of which aren’t secure.

    Security questions are stupid. Most places that institute them, do so wrongly, such as you can use the same answer for each question, and sometimes people encounter a selection of questions of which they cannot answer or cannot/will not remember the answer to and just put in their password.

    Almost every password and recovery system I dream up will either be difficult for the user, or has the potential to be compromised.

  2. Google is paying 97$ per hour! Work for few hours and have longer with friends & family! !mj211d:
    On tuesday I got a great new Land Rover Range Rover from having earned $8752 this last four weeks.. Its the most-financialy rewarding I’ve had.. It sounds unbelievable but you wont forgive yourself if you don’t check it
    !mj211d:
    ➽➽
    ➽➽;➽➽ http://GoogleFinancialJobsCash211TopEcoGetPay$97Hour ★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★✫★★::::::!mj211d:….,…..