Forgot your password?
typodupeerror
Image

Facebook Master Password Was "Chuck Norris" 319

Posted by samzenpus
from the ad-nauseum-roundhouse dept.
I Don't Believe in Imaginary Property writes "A Facebook employee has given a tell-all interview with some very interesting things about Facebook's internals. Especially interesting are all the things relating to Facebook privacy. Basically, you don't have any. Nearly everything you've ever done on the site is recorded into a database. While they fire employees for snooping, more than a few have done it. There's an internal system to let them log into anyone's profile, though they have to be able to defend their reason for doing so. And they used to have a master password that could log into any Facebook profile: 'Chuck Norris.' Bruce Schneier might be jealous of that one."

*

This discussion has been archived. No new comments can be posted.

Facebook Master Password Was "Chuck Norris"

Comments Filter:
  • Chuck Norris... (Score:4, Insightful)

    by thewils (463314) on Thursday January 21, 2010 @03:57PM (#30850096) Journal

    doesn't need a password.

  • by DoofusOfDeath (636671) on Thursday January 21, 2010 @04:00PM (#30850132)

    It's not Facebook's fault: it's not like they actually set the master password to "Chuck Norris".

    The real WTF is that "Chuck Norris" works as a password into anything: Facebook, your online bank account, your sister's pants...

  • by Anonymous Coward on Thursday January 21, 2010 @04:01PM (#30850138)

    Like you need another reason?

    • by crazybit (918023)
      why does everything has to be black or white? Just be careful of what you write in profile (I only post when I want to drive traffic to some link), and don't friend people you don't/barely know. It is much safe to have a controlled profile than risking yourself to be subject of a fake profile.

      The problem are not the tools, but how people use/misuse them. If you are smart enough you can make this service (or any other service) work fine without exposing yourself. It's not like they are watching you from a s
  • SHOCKER (Score:5, Insightful)

    by Monkeedude1212 (1560403) on Thursday January 21, 2010 @04:01PM (#30850152) Journal

    Nearly everything you've ever done on the site is recorded into a database

    Considering nearly everything you ever do on Facebook is made public to either your friends or everybody - thats not shocking at all. The entire system is basically built around informing everybody of everything you do. You can't even perform an action without some app or another prompting you "Do you want to post this on your profile? YES/NO".

    And for those of you wondering, it's obvious what the new password is;

    The only man to have ever beaten Chuck Norris? Bruce Lee.

  • There's funny... (Score:3, Insightful)

    by DeadPixels (1391907) on Thursday January 21, 2010 @04:03PM (#30850176)
    There's funny, and then there's irresponsible. Having "Chuck Norris" as a master password that grants access to any account is most definitely the latter. I would expect that from a couple of teenagers running their first web server, not one of the most popular websites on the Internet.

    There is a time and a place for silly HTML comments or in-joke variable names, but a master password for a site with hundreds of millions of users is not one of them.
    • by coastal984 (847795) on Thursday January 21, 2010 @04:12PM (#30850330) Journal
      There's funny, and then there's irresponsible. Having "Chuck Norris" as a master password that grants access to any account is most definitely the latter. I would expect that from a couple of teenagers running their first web server, not one of the most popular websites on the Internet. But Facebook WAS a couple of teenagers running a web server (He was 19 when FB launched)... and it grew. Not that I don't disagree with it being irresponsible, I'm just saying...
    • Re:There's funny... (Score:5, Informative)

      by carvell (764574) on Thursday January 21, 2010 @04:16PM (#30850400) Homepage
      The default password only worked from the Facebook office on the Facebook ISP.
      • by Gordo_1 (256312)

        And as we know, no hacker has ever owned a system inside a company before.

        • Facebook is not NASA, a bank, or NSA. Security requirements for a database of profiles are not as stringent.
    • Re:There's funny... (Score:5, Informative)

      by Rary (566291) on Thursday January 21, 2010 @04:17PM (#30850402)

      There's funny, and then there's irresponsible. Having "Chuck Norris" as a master password that grants access to any account is most definitely the latter. I would expect that from a couple of teenagers running their first web server, not one of the most popular websites on the Internet.

      Despite what the summary and title say, the password was not "Chuck Norris". The password was a combination of uppercase letters, lowercase letters, numbers, and symbols that essentially spelled "Chuck Norris". In other words, probably something like "(hu(|<N0rr15". Also, it only worked from within the Facebook office, and was only known to certain individuals. It's not like you or I could have used the password from home to enter anyone's account.

      There is a time and a place for silly HTML comments or in-joke variable names, but a master password for a site with hundreds of millions of users is not one of them.

      It's pretty normal for support personnel to have access to production systems in order to provide support.

      • Re: (Score:3, Interesting)

        It's pretty normal for support personnel to have access to production systems in order to provide support.

        Yes, but this is a childishly simple and unaccountable way to provide said access. Their current system (described in the article) where you hit "Switch login", you have to justify your action, and it is logged, is much better, although I hope it is restricted only to employees who have an active need to switch to other users' profiles, and approved beforehand for anyone else who needs to use it.

        • Re: (Score:3, Insightful)

          by Rary (566291)

          Yes, but this is a childishly simple and unaccountable way to provide said access.

          Considering Facebook logs everything, I wouldn't describe this as "unaccountable". I'm sure it's not that difficult to track who did what and when. In fact, the interview discusses cases where people who abused it were tracked down and fired.

          It's not the best system, but that's exactly why they replaced it. It did the job for a while, then they introduced a better system. That's how things usually work.

      • by MarkRose (820682)

        (hu(|<N0rr15

        Wait a minute... that's the combination on my luggage!

      • by nilbog (732352)

        It's also worth noting that Facebook didn't have hundreds of millions of users when this was going down. They had MAYBE thousands.

      • It's pretty normal for support personnel to have access to production systems in order to provide support.

        Right. Every IT support job I've had, I've made it widely known within the company, "I can read your email." It's not "I want to read your email," or "I will read your email," but "I am able to read your email and I may have to under some weird circumstances. If there's any personal information that you're too embarrassed for me to know, don't put it in your work email."

        Ultimately we should all understand that email isn't completely secure unless you encrypt it. Your search habits aren't secure, and ne

    • Re:There's funny... (Score:5, Informative)

      by Ma8thew (861741) on Thursday January 21, 2010 @04:17PM (#30850412)
      RTFA. Firstly, it wasn't just "Chuck Norris", the interviewee didn't reveal the actual password, but suggested it included numbers and symbols. And secondly, it only worked within Facebook's internal network.
    • Re:There's funny... (Score:4, Interesting)

      by kevinNCSU (1531307) on Thursday January 21, 2010 @04:19PM (#30850452)
      It's probably worth noting that it could only be used from Facebook's internal network. Not that it wasn't still a risk to privacy, but not quite as bad as it sounds at first pass.
    • Re: (Score:3, Insightful)

      by Gudeldar (705128)
      That is a false dichotomy. It is both very irresponsible and funny.
    • Re: (Score:3, Interesting)

      by mea37 (1201159)

      Yeah, that's why you should probably not rely on the summary to be accurate.

      1. The password was not 'Chuck Norris'. It was a combination of letters, numbers, and symbols that, were you to see them typed out, would "look like" it said Chuck Norris. Like maybe they replaced the o with a zero, or a *, or something else. Maybe the N was an N, an n, a series of symbols like /\/... no idea.

        In other words, they used a lengthy password (presumably at least 11 characters) with a mix of alphanumerics and symbols and

    • RTFM...it's a good bit more complicated. Along with being deprecated sometime before now, the password was not just "Chuck Norris" but bore some resemblance to Chuck Norris including non-alphanumeric, numbers, different cases, etc. Maybe Chuck Norris wasn't a great source word, but I highly doubt from the description in the article there was any danger.

      I feel that overall, it's a pretty good way to come up with passwords. For instance, take your pets name and childhood phone number, replace some letters wit

      • by praxis (19962)

        and can easily be extended in length.

        Are there passwords that are difficult to extend in legth?

        • by Zarf (5735)

          and can easily be extended in length.

          Are there passwords that are difficult to extend in legth?

          Yes. "Chuck Norris" cannot be extended. It is long enough already.

        • Are there passwords that are difficult to extend in legth?

          And continue being easy to memorize (which is what I meant)? Absolutely. Obviously one can literally make any style password longer...

          Memorize 10 characters of mixed case non-alphanumeric, numbers, etc. Completely random. Then extend to 20 completely random characters. 30. 40. It gets hard to remember!! Especially if you regularly deal with different passwords. I still remember a 14-character random password from a decade ago that I had to type most every day for months. On the otherhand I've already forgot

  • TFA accuracy? (Score:4, Insightful)

    by carvell (764574) on Thursday January 21, 2010 @04:11PM (#30850308) Homepage
    Rumpus: When you say “click on somebody’s profile,” you mean you save our viewing history?

    Employee: That’s right. How do you think we know who your best friends are? But that’s public knowledge; we’ve explicitly stated that we record that. If you look in your type-ahead search, and you press “A,” or just one letter, a list of your best friends shows up. It’s no longer organized alphabetically, but by the person you interact with most, your “best friends,” or at least those whom we have concluded you are best friends with.


    This is rubbish, isn't it?

    I've just typed "a" into the search box and it comes up with an alphabetical list of contacts. The first one happens to be someone whos profile I don't think I've ever clicked on.
    • Re: (Score:3, Interesting)

      by kevinNCSU (1531307)
      Go to the live news feed, scroll to the bottom, and click "edit options" There you will see a "view recommended friends" button in the bottom left. This shows the list of your friends with "best friends" highlighted for you. I assume this list is built off how often you interact with these people, including how often you view their profiles.
      • by crossmr (957846)

        er no..
        I just tried that and its highlighting almost everyone. Including people whose profiles I may have viewed once or twice as far back as 6 months ago, and maybe exchanged a well post back a few months ago too. While a person whose profile I go to weekly isn't highlighted and another person I visit daily is.

    • by Anonymous Coward on Thursday January 21, 2010 @04:18PM (#30850428)
      You don't have any friends.
    • Think of someone in your friends list and search for them, and click through to their profile. Do it a few times, and at some point today or tomorrow you'll see them come up as the first result in a search.
  • by SoundGuyNoise (864550) on Thursday January 21, 2010 @04:14PM (#30850364) Homepage
    ...can actually type ******** into any system and login successfully.
  • by mi (197448) on Thursday January 21, 2010 @04:15PM (#30850380) Homepage

    I wonder, what it is now... "Angelina Jolie"? "Bruce Willis"?

    • by mea37 (1201159)

      It's a shame the summary doesn't somehow provide you with access to more detailed information on the topic, like an article or something. If it did, you could read that and find out that there is no longer a master password (or at least, so they claim), as they've replaced that concept with a newer admin tool.

      However, I disagree; in the context of FB, the idea of a master password is not scary.

    • something lame like "root".

    • by krou (1027572)
      They tried to change it, but once a password's been set to Chuck Norris, password changes just get fucked up.
    • J03 pisC0p0

      Like anyone's ever going to admit to using *that* as a password.

  • by nilbog (732352) on Thursday January 21, 2010 @04:15PM (#30850382) Homepage Journal

    At least the master password wasn't something weak like "Rick Moranis." By using Chuck Norris, you can tell Facebook was taking security seriously.

  • in fact, a little known subplot in the whole drama last week over china hacking into google email servers is that chinese intel knew the master password for gmail was "chuck norris"

    problem was, when the chinese spies typed chuck norris into the human rights activists' email logins, the password itself would jump off the computer screen, hit the spy with five roundhouse kicks to the face, then smash their keyboard into dust just by giving it a hard stare

    so the chinese government had no other choice but to hire hackers to break into the accounts. because even when they hired seven of the greatest kung fu masters and the most proficient in the eighteen arms of wushu in all of china to stand by while the spy logged in, plus jet li, plus jackie chan, and plus the reanimated cyborg admantium zombie of bruce lee, the chuck norris password still roundhouse kicked all of them into submission

    • by godrik (1287354)

      "problem was, when the chinese spies typed chuck norris into the human rights activists' email logins, the password itself would jump off the computer screen, hit the spy with five roundhouse kicks to the face, then smash their keyboard into dust just by giving it a hard stare"

        That's why we need hackers to be skilled in martial art as in matrix!

  • by TheNinjaroach (878876) on Thursday January 21, 2010 @04:35PM (#30850674)
    We have a "magic" password for our internal website as well as our customer website. It's highly obscure and serves as a great tool for walking our customers through issues they have with the website, since it changes quite a bit depending on who they are. So I'm not really surprised Facebook has (had) a "magic" password, but I was pretty disappointed to read in the summary it was something as simple as "Chuck Norris." Then I read this:

    I’m not going to give you the exact password, but with upper and lower case, symbols, numbers, all of the above, it spelled out ‘Chuck Norris,’ more or less.

    Sounds like it was obscure enough to me. If a user just happened to be using that password they would have never known it was magic unless they thought to try it on another user id.

  • by palmerj3 (900866)
    doesn't sleep.... he stalks your facebook photos
  • Now its ... (Score:5, Funny)

    by PPH (736903) on Thursday January 21, 2010 @05:01PM (#30851220)
    ... Paris Hilton. So anyone can get in.
  • by ucblockhead (63650) on Thursday January 21, 2010 @05:21PM (#30851622) Homepage Journal

    Nearly everything you've ever done on the site is recorded into a database.

    Unlike slashdot, which writes everything in code on paper and has mute gnomes who it in a locked vault.

    Seriously, I expect this kind of idiocy from the AP, but I thought slashdot editors were supposed to be technical. Nearly every goddamn site stores user data in a database, and in nearly all these cases there are employees with the master passwords that allow them to see every damn thing. (Except, if you're lucky, the password.)

  • FTFA:

    I don't think there's any question that Stanford is the number one CS department in the world.

    Wow, there's so much question, it's ridiculous. According to US News and World Reports 2008 (the most recent I could find), it was tied with Berkeley and MIT for #1, and even that is being generous. For a while, it was Carnegie and MIT alternating between 1 and 2 every year. Perhaps she meant "the best entrepreneurial CS program".

  • by Explodicle (818405) on Friday January 22, 2010 @11:33AM (#30859842) Homepage
    will cause nearby monsters to flee.

"Card readers? We don't need no stinking card readers." -- Peter da Silva (at the National Academy of Sciencies, 1965, in a particularly vivid fantasy)

Working...