How We Protect Pinners’ Passwords
Yuru Shao | Software Engineer
Aalaa Satti | Software Engineer
Amine Kamel | Head of Production Security
At Pinterest, one method by which we ensure account security is through protecting Pinners’ passwords. Passwords can be problematic for a variety of reasons, including the fact that people tend to reuse their passwords, choose ones that are easy to remember, and share either the details that make up their passwords or their actual passwords with others. It is therefore no small feat to work against these issues to provide a secure, enjoyable Pinterest experience. In this post, we will dive into a few of the techniques we employ in order to accomplish this.
Active Detection of Compromised Credentials
Over the years, a number of websites have leaked user credentials, which enables credential stuffing attacks. Protecting Pinner accounts through passwords involves identifying the most vulnerable users — those with compromised credentials. This is achieved by incorporating offline datasets and real-time checks to detect Pinner accounts with compromised credentials. Figure 1 illustrates our overall approach.
Pinripper is our internally developed tool that aids in detecting Pinterest users who have compromised credentials. It works by ingesting records of both Pinterest user credentials as well as known compromised credentials and then attempts to find a user match between the two. A properly identified match is first based on an email match and then a match between the bcrypt hashes for the passwords of those email matches. Pinripper then uploads the IDs of those identified Pinners to an S3 bucket where Pinlater — our asynchronous job scheduling service at Pinterest — flags them for a risk assessment.
reCAPTCHA Password Check
The integration of the offline datasets greatly helps us detect high-risk users. However, the major limitation is that we cannot leverage user actions in real time for those using a leaked/breached password in the first place. To address this, we have integrated Google’s reCAPTCHA Enterprise Password Check API to determine on the fly Pinners with compromised credentials. The integration covers user flows including login, signup, password change, and password reset. An example of how we leverage user engagement using this feature is through blocking password reset and password change with known compromised credentials. Similar to the offline approach, we take these results into account and update the user database to flag these so-called high-risk users.
Protection of High-Risk Accounts
In addition to detecting high-risk Pinner accounts, we also provide specific protections to those Pinners with known high-risk accounts.
With our Trust & Safety team, we have implemented rules that automatically protect high-risk users when suspicious activities are identified in order to limit account takeovers (ATOs). For example, if a high-risk user account logs in from a new device unknown to us, we immediately put the account in protected mode, invalidate all user sessions, and send out an email notification. As shown in Figure 2, we programmatically protected over 12,000 users every day in February 2021. The number keeps decreasing as more users have adopted Engagement Protections.
We also provide specific engagement protections to those Pinners with known high-risk accounts. This is done while minimizing friction and optimizing user experience. Instead of forcing all Pinners with high-risk accounts to update their passwords, we trigger only these specific Pinners into a particular “experience” upon login. Depending on the platform they’re logging in from and as long as we’re confident they are the true owner of their account, high-risk users will experience a type of banner over their home feed prompting them to protect their account.
Figure 3 shows how user engagement works. When a Pinner visits their home feed, we check if they are flagged as a high-risk user. If so, either a security modal (as depicted in Figure 4a) or a security prompt (as depicted in Figure 4b) is displayed. A Pinner can choose to change their password or connect to their social media account. If they choose to protect their account through signing in via single sign-on (SSO) providers, we disable their Pinterest password and in the future they can use their Google/Facebook session to log in.
We saw a huge increase in the number of Pinners taking actions after we shipped the security modal on the web, as shown in Figure 5. This is clear evidence that Pinners are willing to engage in protections.
Chrome Password Protection
Chrome released new password protection features in January 2021. We immediately took action to make sure our product was compatible. Specifically, Chrome flags compromised passwords, as well as weak passwords users have stored, and redirects users to that site’s password change pages. In our case, depending on whether a Pinner has been logged in or not, they will be redirected to either the change or reset password page.
With the rising prevalence of data breaches and the sophistication of password cracking tools, protecting your passwords is vital to your account security.
Our recommendations for users are:
- Don’t reuse passwords across different sites
- Use a password manager (also effective against phishing!)
- Enable two-factor authentication (2FA), preferably Fast IDentity Online (FIDO), for your sensitive accounts
If you are a security practitioner, it’s highly recommended to:
- Perform active detection of compromised credentials for your users
- Motivate your users (encourage them to use a stronger password, suggest them to turn on 2FA, etc.) to improve their account security
- Take actions on suspicious account activities and proactively protect users