Facebook Master Password Was "Chuck Norris"

I Don't Believe in Imaginary Property writes "A Facebook employee has given a tell-all interview with some very interesting things about Facebook's internals. Especially interesting are all the things relating to Facebook privacy. Basically, you don't have any. Nearly everything you've ever done on the site is recorded into a database. While they fire employees for snooping, more than a few have done it. There's an internal system to let them log into anyone's profile, though they have to be able to defend their reason for doing so. And they used to have a master password that could log into any Facebook profile: 'Chuck Norris.' Bruce Schneier might be jealous of that one."

Re:TFA accuracy?

[kevinNCSU]

Go to the live news feed, scroll to the bottom, and click "edit options" There you will see a "view recommended friends" button in the bottom left. This shows the list of your friends with "best friends" highlighted for you. I assume this list is built off how often you interact with these people, including how often you view their profiles.

Re:There's funny...

[kevinNCSU]

It's probably worth noting that it could only be used from Facebook's internal network. Not that it wasn't still a risk to privacy, but not quite as bad as it sounds at first pass.

Re:There's funny...

[mea37]

Yeah, that's why you should probably not rely on the summary to be accurate.

1. The password was not 'Chuck Norris'. It was a combination of letters, numbers, and symbols that, were you to see them typed out, would "look like" it said Chuck Norris. Like maybe they replaced the o with a zero, or a *, or something else. Maybe the N was an N, an n, a series of symbols like /\/... no idea.

   In other words, they used a lengthy password (presumably at least 11 characters) with a mix of alphanumerics and symbols and a simple mnemonic that would allow anyone who had seen the password to remember it. That sounds pretty damned good to me.

2. This is a deprecated access mechanism. As the service grew up to be a "site with hundreds of millions of users", they got rid of it. I don't mean they chagned the password; they threw out the ability to use such a password entirely, having replaced it with an audited feature of the app when viewed on their internal network.
3. Even when this password worked, you had to be on their network to use it. It filled an administrative and technical need. The only problem I see with this approach, especially when the site was small and didn't know how big it would be, was that they apparently didn't have much control to prevent an employee from stumbing on the password.

I have a dim view of the "privacy" of information on FaceBook, but this story isn't even a blip on that radar. If you don't already know that information you post to a social networking site is available to the company that runs that site, you need to wake up.

Re:There's funny...

[ThinkingInBinary]

It's pretty normal for support personnel to have access to production systems in order to provide support.

Yes, but this is a childishly simple and unaccountable way to provide said access. Their current system (described in the article) where you hit "Switch login", you have to justify your action, and it is logged, is much better, although I hope it is restricted only to employees who have an active need to switch to other users' profiles, and approved beforehand for anyone else who needs to use it.

Re:New feature on Slashdot!

[gad_zuki!]

>Wow, I just figured out a new feature on Slashdot! You can type in, "U:username and P:password," and it will replace your password with stars.

They must have implemented a time machine because that joke is older than I am.

Re:Chuck Norris...

[Dahamma]

Chuck Norris doesn't need a password, because when it's the real Chuck Norris - you just know.