Social Experiment - How to Get Facebook Passwords

28 Feb 2016 | ~3 minute read

So, around a week ago I wrote a rare Facebook post and decided to share it with my friends on Facebook. I deliberately posted this in such a way to see if I can find out how to get Facebook passwords from my friends. Honestly, I wasn’t expecting a great deal of success from the post, but boy was I wrong!

The Post

The post itself was an old but gold post that basically fools user into thinking that if they type their password into the comments section, then it will appear as a collection of stars, rather than the password in plain text. It goes something like this:

Did you know that Facebook has this cool security feature that protects your password? Well it does!

If you type your password into a post, Facebook will show you your password, but everyone else will just see asterisks. Look, here’s my password:

****************

Try it yourself in the comments!

Obviously, Facebook can’t do this. If they did do this, it would mean that user passwords are not hashed when they’re stored, and it could also be easy to guess if a user’s password was an alphanumeric term. For example, if my password was “I love security” and I wrote a sentence that contained the phrase “I love security” in a post, Facebook would obfuscate that, and it would be relatively easy for others to guess my password from the context of the rest of my post.

So yeah, this doesn’t happen; and I honestly thought that in this day and age, people would be wise to this kind of scam and not fall for it. Let’s see then; I typed out the post, and threw it up on Facebook. I was monitoring closely, so if anyone did comment with their password, I could delete it straight away (so no one else saw it).

Fast forward 30 minutes, and I had 2 passwords. After an hour, I had 6! Yes, I got 6 legitimate passwords from my Facebook friends! I was astonished.

Stupidity Rules The Internet

Now, I think it’s important to say that I was responsible when doing this experiment. I contacted all 6 of these people straight away, and I told them I had their password and they should change it, which all of them did.

After that, I left a comment on the post, explaining what I had done, and told people not to post their passwords any more. It’s been a week now, and no one else has been stupid enough to post their password since.

Learning A Lesson

Lucky for me, everyone who posted their password saw the funny side of it, and I hope they learnt something from the experience (better me than some random page on Facebook). People are too quick to trust on the Internet, even after all the stuff we read about scams, virus’, malware, and a whole host of nasty’s – people still fall for this crap.

The point of the post was to show people how easy this stuff is. I know the 6 people who gave me their passwords learnt a lesson, and I hope others did as well. It does make me wonder though, if I had left the post up without an explanation, how many password I would have managed to capture?

All in all, if you want to know how to get Facebook passwords, the answers is – it’s easier than you think. Unfortunately. Please be more vigilant, people!

• Security