Facebook’s Password Reset Feature is Broken

Earlier today, a friend contacted me through Twitter because her Facebook account had been hacked and was spamming some of her friends. Apparently, the Two Free Southwest Airline Tickets scam is still making the rounds, and her account was among the causalities.

I’ve been through this process once before with a former coworker, so I was ready to go with the Facebook Help Center write-up on resetting your password,  as well as the Identify Your Account link that let’s you reset your password with either your email account on file or with the help of a friend.


For anyone who hasn’t been through the process, it’s pretty straightforward:

  1. Enter your identifying information
  2. Enter the confirmation code they send to your email
  3. Enter a new password

Normally, this would do the trick, but Facebook also wants you to identify the people you tagged in recent photos as an extra security measure. Here’s where it gets ugly…

The Southwest scam posts images to your profile page and tags your friends without your knowledge. When the account recovery feature presents you with these images, it asks you to confirm who you tagged in these images. The only problem is, you have no idea since you didn’t tag anyone!

You can’t view your profile at this point, since Facebook hides your compromised profile from everyone until you’ve successfully recovered your account. That means there’s not way to see the images that the spam tagged on your behalf. If you don’t answer the tagging questions correctly, not only does Facebook prohibit you from logging into your account, but it prohibits you from even trying to recover your password for the next 24 hours.


Let’s put this in perspective here. According to the Unified Compliance Framework:

  • Healthcare and Life Science Guidance recommends a 15 minute lockout
  • Payment Card Guidance recommends a 30 minute lockout
  • DISA (Defense Information Systems Agency) recommends a 60 minute lockout

So healthcare data, credit card data, and national defense data are protected if an account is locked out for 1 hour, but Facebook thinks that pictures of what you had for breakfast and comments about your new year’s resolutions need to be protected by a 24 hour lockout? Seriously, Facebook? SERIOUSLY?

The kicker of all this is that Facebook’s password reset function expects users to view recently posted photos to determine who the user tagged. If Facebook’s logic was to look as far back as, say, three days…. just THREE DAYS… wouldn’t that be a more reasonable control than to rely on information that was just posted to a recently compromised account?

I hate security controls that are so oppressive that they do more harm than good, and it looks like Facebook may be my new front-runner for the Unnecessarily Oppressive Security Controls award. If I was a Facebook shareholder, I’d be even more upset that Facebook’s security controls are keeping legitimate users locked out of their own accounts. No users = no ad revenue.


One thought on “Facebook’s Password Reset Feature is Broken”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s