The idea that a DDOS attack, FB requiring you to log in, and password theft are linked goes around periodically. It's time to lay it to rest. There are a number of misconceptions here, and misunderstanding how passwords can be stolen leaves you more vulnerable, not less.
A typical warning (relayed by people who care!) looks like this:
So let's work through this. First:
What is a DDOS attack, anyway?
A DDOS attack (Distributed Denial of Service attack) is simply an attack on a system (usually a network server) that prevents it from operating correctly, and thus denies the user the intended service.
The "Distributed" part means it's a beefed-up version of a vanilla DOS attack, where the target is attacked over the network from multiple systems at once. The attackers can range from 2 systems to over a half million! The approach is to take some action simultaneously that forces the target to do some work, and thus overload it.
So what does this have to do with my password?
Nothing at all. In the usual case, you, your account, your computer, your network connection, aren't involved at all—other than not being able to communicate with the server, that is.
In the less common case, where your system is the target, the only difference is you won't be able to talk to anyone. If your system is directly connected to the internet (for all that is good and sane in the world, do not do that!), you might not be able to use your system until you disconnect it from the network. But if you are properly connected behind a router, whether at home, or via a cell network, or even (generally) a public WiFi, it will be the router that takes the hit.
So an attack looks like this. Or, at worst, they are attacking your router.
The thing to remember here is—they cannot see you. That blue line, going through your router to the servers? That's encrypted. Even if they have a way to spy on your traffic, they cannot see what that traffic is.
But the claim is, Facebook logs you off in this case!
That's the claim. But it has no connection to reality. What does it mean to be "logged in" to Facebook?
First, let's look at how the web works. The browser makes a series of requests to a server. The server answers them. In the old days, each request was a separate network connection. That was inefficient, and now network connections are managed differently. But unlike, say, Zoom or Skype or a telephone call, a connection is not how you stay logged in.
A DDOS attack may cause you to lose your connection—but that happens anyway, whenever you sit idle.
What does being logged in mean?
Simply put, being logged in is an arrangement between your browser and Facebook, so that Facebook knows the requests are coming from the same session as when you authenticated. Authentication is the process of "logging in", that is, proving to Facebook that you are who you are. You provide your name and password. Facebook combines that password with a number specific to you, and performs a very large number of cryptographic hashes on the combination. It then compares the result with a stored result. (This means—Facebook does not store your password!)
The purpose of the "large number of hashes" part is to make it very slow and expensive to try to guess passwords. The "number specific to you" part is so that if someone stole Facebook's password database, they could not compare your hashed password with anyone else's.
Once your password has been authenticated, Facebook may then require you to enter a second factor, perhaps from a text message.
Once Facebook is satisfied that you are, indeed, you, Facebook gives you a special token. A string of letters and digits long enough to not be guessable, that represents your logged-in status.
As long as your browser has this token, and includes it in every request, and Facebook does not decide to invalidate it, you are logged in.
Facebook probably replaces these tokens frequently, so a token stolen from your hard drive can not be used indefinitely. But we're getting ahead of ourselves.
These tokens are cookies. Cookies are just small pieces of information that a website has asked to be sent back along with requests. They're the glue that allows the web to be more than a collection of linked pages.
But it says Facebook logs me out after a DDOS!
Yes, it says that. It's one of many things wrong with that claim. Why would Facebook log you out after a DDOS? It has nothing at all to do with you! It has nothing to do with your password!
Facebook may log you out if they think that login cookie has been compromised, or is too old, or if you've changed your password on another device. Yes, this logs you out, but a DDOS attack is not one of the reasons.
But how are people stealing accounts?
I don't know, not really. I can only tell you where it's possible and where it's not.
Once your traffic goes out over that blue line, your password is safe. So let's look at the other options.
Maybe Facebook let them!
Wait, what? Well, a couple of things.
- Somebody on the inside changed it for someone.
- Someone went through the "forgot my password" path.
We can ignore the first one. Facebook is very, very careful about this. More careful than you could ever be about your own computer.
But the password reset path—that could be your fault. Is your email compromised? Could someone have intercepted a password reset email, changed your password, and deleted the email? How would you even know?
If you suspect your account has been stolen (not just that you're logged out, but that your old password no longer works), you should probably change your email password before changing your Facebook password.
Maybe you told someone your password!
Don't ever do that. Not for anyone. I make it a point to not know my wife's passwords, nor my kids'. If nobody but you knows the password, it makes figuring out what happened a lot easier, because it eliminates that entire set of possibilities.
This includes, by the way, writing down your password somewhere that someone might someday discover it. All my thousands of passwords are stored encrypted, not all in one place, not all protected by the same password. They do not appear in plaintext anywhere, especially not on scraps of paper!
Maybe your password was too easy!
Yeah, about that. The rules usually given about "uppercase, lowercase, digit, special character" are bogus—historical baggage that unfortunately lives on, despite updated NIST standards.
There are two things behind a secure password:
- It is long. The narrower the set of symbols involved, the longer it needs to be, but the key must be long. A long passphrase with some misspelling or unlikely word combinations is good.
- You can remember it—or how to get it.
The former prevents guessing.
The second removes the temptation for you to write it down somewhere it can be discovered.
No, my password is secure! It has to be something else!
Well...
You didn't reuse your password somewhere else, did you?
Not every site is careful with your password. Some don't do the full hashing I described above. Some do not do it at all and store it as plaintext.
I know this, because sometimes a site will send me an email with my plaintext password! That is beyond irresponsible—it is a danger to the community. A memorable case was the local high school's parent site a few years back.
No, I wouldn't do that!
OK, great. Let's look at what remains!
You—typing your password.
Remember, the original claim was that the DDOS attack was logging you out, to get you to do just that!
Well—now we're coming to a nugget of truth. Let's meet three villains.
Villain #1: Keyloggers
Let's say someone has the ability to watch your every keystroke. Stealing your password just means finding it in your typing stream while you are being monitored. Hold that thought a moment: we're going to look at how that can happen.
- You type on a keyboard. Your keyboard could be compromised.
- You type over USB. Your USB cable could be compromised. Yes, you can buy USB cables that allow just that!
- Your computer has a keylogger installed. Maybe a trojan program you downloaded. Perhaps a browse bug allowed a drive-by installation. Maybe your USB cable installed software when it connected!
- Maybe your browser has a keylogger installed, perhaps by a trojan, or maybe a rogue browser extension...
By far, the most likely case is a trojan.
Villain #2: Cross-site scripting (XSS)
Cross-site scripting refers to various ways scripts on one site can illegitimately cause action or spy on activity on unrelated sites.
Browsers are supposed to block them. Bugs are possible.
If you open a new tab and start up Facebook, no other site has a chance to be involved. But if you find a link that behaves strangely, taking you back to Facebook, beware. I can't suggest what to look for exactly—usually, it happens behind the scenes, and is exploiting a bug. Just remember, if you're suspicious, you can always start fresh.
Villain #3: Fake Facebook
An attacker may show you a page that looks like Facebook—but isn't. The strategy here is to look like Facebook—except you aren't logged in. Your first login attempt will likely fail—and then they'll send you to the real Facebook. But now they have your password.
Watch your browser bar. Make sure it really says it's Facebook, with the proper lock icon.
If you click a link and it asks you to log in, don't.
So what ties these villains together?
They all are ways to get you to type your password in an environment they control.
The solution is: If Facebook asks you to log in, make sure it is really Facebook, and that nobody human or otherwise is watching over your shoulder.
So that's the nugget of truth here—ploys to get you to reveal your password by typing it are real.
So what about the "change your password" advice?
Well...if they're watching you type your password, they now have your old and new passwords. Maybe the old password is good somewhere else, too?
If you think you need to change your password, you should understand why first, and be sure you're not walking into a trap!
Then, when you've done your malware scan, opened a fresh tab, etc., go ahead and change your password. Definitely change it if you think it has been stolen. Just be careful it's not stolen again.
But what do I do if I get a warning like this?
Is it a link to the support site for the service in question?
If not, delete it. Check the official site for any warnings, and warn others not to forward rumors.
Some, like this one I think, are well-intentioned confusion. Others are deliberate disinformation.
Either way, you don't want to be part of the chain!
Thank you!
Comments