Bryan : Every Facebook employee had this password, and you just don’t know what they could/would do with it.

But the article clearly layout this.

Rumpus: This was accessible by any Facebook employee?

Employee: Technically, yes. But it was pretty much limited to the original engineers, who were basically the only people who knew about it. It wasn’t as if random people in Human Resources were using this password to log into profiles.

As well it is discussed how people were fired because of this. And later on they discuss how they reworked the system to add more tracking to it.

Employee: Right. But it’s no longer in use. Like I alluded to, we’ve cracked down on this lately, but it has been replaced by a pretty cool tool. If I visited your profile, for example, on our closed network, there’s a ‘switch login’ button. I literally just click it, explain why I’m logging in as you, click ‘OK,’ and I’m you. You can do it as long as you have an explanation, because you’d better be able to back it up. For example, if you’re investigating a compromised account, you have to actually be able to log into that account.

Rumpus: Are your managers really on your ass about it every time you log in as someone else?

Employee: No, but if it comes up, you’d better be able to justify it. Or you will be fired.

This stuff was discussed and addresses the privacy concerns you sited.

There is a whole other privacy portion to this that I’ve tried to start writing about here but this is already pretty long. May become a post another day – though not here as it’s not really creativity related

Plus as objective as people try to be, there are some that just can’t be that way. And if they have a password that can be used for vengeance or otherwise, they will.

It’s not the system, it’s the people. The faceless Facebook people.

http://therumpus.net/2010/01/conversations-about-the-internet-5-anonymous-facebook-employee/2/

The password wasn’t what you just wrote but actually a written with a form like 1337. This wouldn’t have been a simple brute force attack away from being broken. The real thing you have to realize, this was an internal only password. You had to be on Facebooks network to use it.

This is a pretty common occurrence and needs to be there when you are working with tons of accounts, especially of people that you can’t just go look off the screen of to see what’s wrong. You need to see what they are looking at exactly. By having this locked down to internal use only (by network not personnel) there was extremely minimal chance that this would have been found out or somehow compromised.

I swear, developers these days….

Humor aside, really? Twitter’s admin password was “password?” That just blows my mind.

Non-hacking related, I recently helped someone move their domain from one registrar to another and that was a giant nightmare. Whenever I put in a ticket about the issue I would get the auto response that they would get back to me in 24 hours. 2 support tickets and 32 hours later they resolved the issue on their end (with the second ticket as well saying 24 hours when really they didn’t fix it the first time instead of giving me direct access to someone to get it resolved with the first.) Luckily I had my own DNS server to move them to but they were still without email for 12 hours because of the issue. Namesecure is who the issue was with for those wondering.

I bring this up only that for most of us if something similar to Twitter happened to us there is a chance our site could be down for days while it gets addressed which sucks because it is 100% out of our control.

AG