Facebook is actually quite security conscious despite naysayers. So much so that they actually want to help with password hygiene by buying stolen passwords to help check to see who’s reusing what, cross-referencing these hash lists with their own to alert users of potential security issues.
Facebook’ll check your password strength for you
Passwords should be treated like your underwear, changed often and kept (mostly) private. In the event that it’s no longer private and the hash values that are stored in website databases have been stolen, you need to change it. Sometimes as a result of either being somewhat lazy or just plain forgetting, you may reuse the same password. After all, it’s much easier to remember the same password for everything, right?
Facebook is buying up those black market stolen hash databases to cross-reference those hashes against the ones in their own database. If there’s a match, then Facebook can help you by letting you know that your password is a not so secure. Apparently they’ve even made accounts invisible until owners fixed their passwords in 2013 following an Adobe password breach. Some of their researchers mined through data to find matches, and then took matters into their own hands.
It’s nice to see a company take their users security so seriously. This is a step above the usual treatment. It’s unfortunate, but password hash databases do get stolen. The unfortunate side-effect is that they’re supporting criminal enterprises. Is that even ethical? Do the ends truly justify the means in this case? It’s a contentious issue but pre-emptive password security could prove quite helpful. It’s a circular issue, perhaps.