www.facebook.com, twitter.com password storage disclosures

Facebook, Inc.

www.facebook.com

Rating B

scrypt (disclosed March 2019)

Details

Params: N=16384, p=1, r=8

Full algorithm: HMAC-SHA-256(scrypt(HMAC-SHA-256(HMAC-SHA-1(MD5(password)))))

Disclosures:

2014-12-09 talk ^arch (around 2:10)
2019-03-21 blog ^arch

History

Plaintext (disclosed March 2019)

Details

Note: As part of a routine security review in January 2019, Facebook found that some user passwords were being stored in a readable format within their internal data storage systems. The issue has affected hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook has since fixed the issue.

Disclosures:

2019-03-21 blog ^arch
2019-03-21 independent site ^arch

Why "B"?

A slow hashing function is used but such info is "invisible", hidden in a blog post or a talk, or on social media.

Recommended change: Publish storage and hashing info details visibly (e.g. in the docs or FAQ), then let me know.

Twitter, Inc.

twitter.com

Rating A

bcrypt (disclosed May 2018)

Details

Disclosures:

2009-06-28 docs ^arch
2016-06-09 Twitter (private account) ^arch
2016-06-10 blog ^arch
2018-05-03 blog ^arch

History

Plaintext (disclosed May 2018)

Details

Note: Due to a bug, passwords were written to an internal log before completing the bcrypt hashing, resulting in passwords being stored in plaintext in the log. The bug was fixed in May 2018.

Disclosures:

2018-05-03 blog ^arch

Why "A"?

Site uses a slow hashing function, this is disclosed "on-site", in the docs, FAQ, etc.