• United States



Facebook stashing plain text passwords is a wake-up call to improve GRC

Mar 22, 20196 mins
Application SecurityData and Information SecurityIdentity and Access Management

Facebook storing hundreds of millions of user passwords in plain text demonstrates the urgent need for more effective governance, risk management and compliance at public companies.

As details emerged of how Facebook captured hundreds of millions of plain text passwords and stored them on internal company servers, my entire IT career flashed before my eyes. While it is criminal that there is apparently no adult supervision or oversight on what developers at Facebook can do with a user’s credentials when logging into their apps, they are certainly not alone in their handling of plain text passwords.

During my time as CEO at VeriClouds (a provider of identity threat intelligence that uses analytics on top a data lake of more than 10 billion compromised credentials) I was in a meeting with an executive of Twitter when he admitted to using a competitor’s service whereby his team received “dumps” of compromised credentials – yes ladies and gentlemen, in plain text. I can understand that being a normal and accepted practice a decade ago before the President of the United States started using his service. I am bewildered as to why any security officer worth his title would allow a practice to occur, let alone continue at a massive social media site such as Twitter.

While an identity and access management (IAM) architect at a previous employer in Silicon Valley, an incident was discovered where a developer had written a line of code that emailed himself any new passwords during the password reset for a specific named or shared account. This clever trick solved the problem often encountered by developers using shared accounts for testing and QA purposes where one developer would change a password and lock others out from using that account. Left to their own devices, developers care about convenience and low friction throughout the lifecycle of a software project.

Can developers be trusted with security?

In recent years, Agile development practices prevailed over traditional structured “waterfall” approaches that enabled software development organizations to deliver software features and updates incrementally faster than previously possible. Business application owners love Agile because they get new capabilities delivered faster which delights customers and wins the day.

Agile teams describe their operating style as “self-organized” and “self-managed” which explains how – with low friction and lack of planning – new capabilities can be quickly delivered. With few external inputs needed, a self-managed team will figure things out as they forge quality into software development through rapid iteration and continuous delivery. Requirements? Architecture? Design? Security by design? The Agile team can “fix that in the next iteration,” rather than planning for them up front.

Another popular approach in recent years is DevSecOps, a philosophy of integrating security practices into the development process. Realizing that leaving security as an afterthought was not a smart move, software engineering leaders calculated that automating security and IAM configurations programmatically into software deployments would address many of the security vulnerabilities found throughout infrastructure and code.

While collaborative approaches between application developers, security and operations is paramount to success as I wrote about in “3 ways to improve the security of identity and access management,” DevSecOps tends to be departmental in nature. It hasn’t yet demonstrated an ability to handle the complexities and interoperability challenges of different operating models, technology standards, reference architectures or cloud scale IAM and security platforms.

During a recent interview with Eve Maler, VP of Innovation and Emerging Technology at ForgeRock, Maler suggest that “What companies should be thinking about given the new rules [for data sharing and privacy standards] is robust consent and unifying privacy and consent architectures with authorization architectures to properly externalize authorization logic and really try and keep them clean.”

It is apparent, considering Facebook’s brazen attitudes and lack of concern around the leak of 87 million users data being improperly shared in the Cambridge Analytica scandal, or the 90 million Facebook users who were impacted by a breach of security tokens, that Zuck’s mantra of “move fast and break things” is valued above user privacy and security by design thinking. This incident of mishandling plain text passwords of hundreds of millions of users is no exception.

The non-compliant enterprise

Although Pedro Canahuati, Facebook VP Engineering, Security and Privacy downplayed the significance of this event, arguing that the issue was fixed and that passwords were never visible to anyone outside of Facebook, he appears to be tone deaf to the broader issue of missing oversight or that insiders can be a significant risk to the enterprise.

Canahuati continues that Facebook monitors users’ credentials and checks for cases of reuse or compromise against publicly posted databases of stolen credentials. Is it possible that the lack of competence, while doing something seemingly beneficial to the end user, could do more harm than good to users and the business?

In addition to not following best practices such as privacy by design, Facebook or any other organization with similar practices fail to comply with regulatory frameworks (E.g. SOX) by not enforcing separation of duties, a common practice that should have prevented developers and engineers from accessing production systems and data. As the cost and frequency of data breaches continues to skyrocket, boards and executives will demand better solutions and new regulations such as GDPR and the California Consumer Privacy Act of 2018 will require it.

A wake-up call for GRC driven business transformation

Analyzing risks and monitoring controls across the enterprise is a challenge for most organizations. Governance, risk management and compliance (GRC) is a critical management layer that can help make IAM more effective, enable compliance proof and the business to scale safely. According to think tank OCEG, GRC is “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” Agile and DevSecOps are clearly not the solution that will help an organization mature an ‘integrated collection of capabilities’ or that will ensure compliance and reward ethical behaviors among the rank and file.

Organizations that invest in and make GRC a top priority can be sure that line of sight is maintained on the effectiveness of detective and preventative controls. Organizations that take privacy by design seriously will be proactive instead of reactive and choose privacy as the default setting.

For those reasons, cybersecurity continues to be a massive opportunity for management, not a technical problem. Indeed, most data breaches today are preventable, and they highlight the need for bold leadership, improved mindsets and increased risk awareness; no organization will go unscathed without having a risk-informed, security first mindset.


Steve is obsessed with helping transform business by building trust, reducing operational risk and improving user experiences with modern identity & access management. Founder & President of Forte Advisory, he has been a member of the IAM community for 18+ years with a focus on program management, enterprise architecture, and operational excellence for the world’s largest companies in telecommunications, financial services, high tech and Big 4 consulting.

Steve was formerly CEO of VeriClouds and a Director of Cybersecurity & Privacy at PwC. Prior to PwC, he was the head of IAM at VMware (one of the four largest enterprise software companies) where he designed and managed customer and partner facing systems. Prior to joining VMware, Steve was a consultant at Oracle where he led deployments for strategic accounts in the manufacturing and high tech sectors.

As an advisory board member, Steve has helped founders with the development of strategic relationships, business development, market and capital strategy, product design channel and sales strategies. Startups he has helped include Seattle based VeriClouds, and Palerra, the leading cloud access security broker and pioneer of the API-based CASB solution. (Palerra was acquired by Oracle in October, 2016.)

Steve is available for strategic consulting and private workshops at his clients offices throughout the US and Canada. You can reach Steve by clicking the envelope icon above.

The opinions expressed in this blog are those of Steve Tout and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.