Facebook is one of the most popular social media platforms in the world, with over 2.9 billion monthly active users as of the third quarter of 2022. With so many users logging in every day, security and privacy are major concerns, especially when it comes to passwords.
How Does Facebook Store Passwords?
When you create a Facebook account and set a password, that password is encrypted and stored in Facebook’s databases. Specifically, Facebook uses a password hashing algorithm called “bcrypt” to encrypt passwords.
Bcrypt is an adaptive password hashing function that incorporates a salt to protect against rainbow table attacks. A salt is a random string of characters that is generated for each password and is combined with the password before it is hashed. This makes each password hash unique, even if two users have the same password.
The hashed password is then stored in Facebook’s databases. When you enter your password to log in, Facebook runs it through the same bcrypt hashing algorithm, combines it with the salt, and compares the resulting hash to the hash that is stored for your account. If they match, you’re granted access. The actual plaintext password is never stored.
Why Password Hashing is More Secure
The main reason password hashing is more secure than storing passwords in plaintext is because the hash is one-way. If hackers were to gain access to the password database, they would only see these encrypted hashes, and would not be able to reverse them back into the actual passwords.
There are a few other advantages to password hashing algorithms like bcrypt:
- Salting protects against rainbow table attacks. Rainbow tables are precomputed tables filled with password hash values that hackers use instead of brute forcing.
- Bcrypt is intentionally slow by design, making password cracking attempts slower.
- The cost factor in bcrypt allows increasing computational complexity over time as computing power increases.
By using password hashing with salting, Facebook makes password cracking extremely difficult and expensive for potential attackers. Users’ actual plaintext passwords are never stored anywhere in Facebook’s systems.
Where Else Might Passwords Be Stored?
While the hashed passwords exist only in Facebook’s databases, users’ passwords may be stored in other locations outside of Facebook’s control:
- On the user’s device – Password manager apps and browser password storage will keep passwords on a user’s device.
- In transmission – Passwords are sent in plaintext when logging in, and can be intercepted if the connection is not secure.
- With third-party apps – Any app that interfaces with Facebook could potentially store passwords.
- In backups – Backups of a device may contain stored passwords.
- In emails – Users sometimes email passwords to themselves.
- Physically written down – Passwords users have written on paper for record keeping.
Facebook does not control or manage passwords outside of its encrypted databases. Users are responsible for securing their passwords across devices, apps, and physically.
How Passwords Are Handled on Facebook’s Servers
Facebook utilizes a variety of security measures to protect password databases and servers:
- Passwords are encrypted at rest – Hashes are protected when sitting in databases
- Passwords are encrypted in transit – Connections use TLS for security
- Access is restricted with principle of least privilege – Only essential personnel can access passwords
- Key management secures cryptographic keys – Keys use HSMs for protection
- Auditing tracks all access – Unauthorized access raises alerts
- Encryption protects backups – Backups are encrypted as well
By leveraging these controls, Facebook aims to minimize risks associated with password storage. The hashed passwords themselves have multiple layers of security wrapped around them.
How to Choose a Strong Facebook Password
While Facebook’s password infrastructure is robust against cracking attempts, a weak password can still potentially be guessed or brute forced. Here are some tips for choosing a strong Facebook password:
- Use a minimum of 8 characters – Longer is better
- Include uppercase and lowercase letters
- Add numbers and symbols
- Avoid personal info or common words and phrases
- Consider using a passphrase for greater security
- Unique passwords for every account
- Use a password manager to generate and store passwords
- Turn on 2FA for an extra layer of security
A strong, unique password along with two-factor authentication will keep your Facebook account secure. Periodic password changes are also a good practice. With billions of passwords to manage, Facebook takes password security very seriously.
Conclusion
Facebook stores encrypted password hashes using bcrypt and salting. This protects passwords in their databases by making them unreadable even if accessed. Other security controls restrict access and provide encryption both at rest and in transit. While Facebook’s security measures are robust, users still need to practice good password hygiene by using strong and unique passwords for all accounts.