How We Protect Pinners’ Passwords

Yuru Shao | Software Engineer

Aalaa Satti | Software Engineer

Amine Kamel | Head of Production Security

At Pinterest, one method by which we ensure account security is through protecting Pinners’ passwords. Passwords can be problematic for a variety of reasons, including the fact that people tend to reuse their passwords, choose ones that are easy to remember, and share either the details that make up their passwords or their actual passwords with others. It is therefore no small feat to work against these issues to provide a secure, enjoyable Pinterest experience. In this post, we will dive into a few of the techniques we employ in order to accomplish this.

Active Detection of Compromised Credentials

Over the years, a number of websites have leaked user credentials, which enables credential stuffing attacks. Protecting Pinner accounts through passwords involves identifying the most vulnerable users — those with compromised credentials. This is achieved by incorporating offline datasets and real-time checks to detect Pinner accounts with compromised credentials. Figure 1 illustrates our overall approach.

We have an offline pipeline that detects users with compromised credentials on a daily basis. We also use Google’s reCAPTCHA Enterprise Password Check to flag compromised credentials on the fly.
Figure 1. Detecting compromised credentials and flagging high-risk users

Offline Datasets

Pinripper is our internally developed tool that aids in detecting Pinterest users who have compromised credentials. It works by ingesting records of both Pinterest user credentials as well as known compromised credentials and then attempts to find a user match between the two. A properly identified match is first based on an email match and then a match between the bcrypt hashes for the passwords of those email matches. Pinripper then uploads the IDs of those identified Pinners to an S3 bucket where Pinlater — our asynchronous job scheduling service at Pinterest — flags them for a risk assessment.

reCAPTCHA Password Check

The integration of the offline datasets greatly helps us detect high-risk users. However, the major limitation is that we cannot leverage user actions in real time for those using a leaked/breached password in the first place. To address this, we have integrated Google’s reCAPTCHA Enterprise Password Check API to determine on the fly Pinners with compromised credentials. The integration covers user flows including login, signup, password change, and password reset. An example of how we leverage user engagement using this feature is through blocking password reset and password change with known compromised credentials. Similar to the offline approach, we take these results into account and update the user database to flag these so-called high-risk users.

Protection of High-Risk Accounts

In addition to detecting high-risk Pinner accounts, we also provide specific protections to those Pinners with known high-risk accounts.

Programmatic Protections

With our Trust & Safety team, we have implemented rules that automatically protect high-risk users when suspicious activities are identified in order to limit account takeovers (ATOs). For example, if a high-risk user account logs in from a new device unknown to us, we immediately put the account in protected mode, invalidate all user sessions, and send out an email notification. As shown in Figure 2, we programmatically protected over 12,000 users every day in February 2021. The number keeps decreasing as more users have adopted Engagement Protections.

As the number of high-risk users keeps decreasing due to our user engagements and protections, the number of programmatically protected accounts is also going down. Spikes were caused by the integration of new signals.
Figure 2. Number of accounts protected programmatically

Engagement Protections

We also provide specific engagement protections to those Pinners with known high-risk accounts. This is done while minimizing friction and optimizing user experience. Instead of forcing all Pinners with high-risk accounts to update their passwords, we trigger only these specific Pinners into a particular “experience” upon login. Depending on the platform they’re logging in from and as long as we’re confident they are the true owner of their account, high-risk users will experience a type of banner over their home feed prompting them to protect their account.

Figure 3 shows how user engagement works. When a Pinner visits their home feed, we check if they are flagged as a high-risk user. If so, either a security modal (as depicted in Figure 4a) or a security prompt (as depicted in Figure 4b) is displayed. A Pinner can choose to change their password or connect to their social media account. If they choose to protect their account through signing in via single sign-on (SSO) providers, we disable their Pinterest password and in the future they can use their Google/Facebook session to log in.

When users visit the homefeed we trigger the flow of high-risk user protection modal. High-risk users can choose to change their password, or connect to Google/Facebook as the SSO provider.
Figure 3. Leveraging user engagement to protect account
Our security modal on web provides high-risk users the options for changing password immediately or configuring Google/Facebook as the SSO provider.
Figure 4a. Security modal on web
Our security nag on mobile reminds high-risk users to update their password with one tap.
Figure 4b. Security prompt on mobile

We saw a huge increase in the number of Pinners taking actions after we shipped the security modal on the web, as shown in Figure 5. This is clear evidence that Pinners are willing to engage in protections.

We shipped an updated version of security modal/nag to our client platforms and saw a huge increase in the number of users engaging in protections.
Figure 5. Number of users engaged in protections

Chrome Password Protection

Chrome released new password protection features in January 2021. We immediately took action to make sure our product was compatible. Specifically, Chrome flags compromised passwords, as well as weak passwords users have stored, and redirects users to that site’s password change pages. In our case, depending on whether a Pinner has been logged in or not, they will be redirected to either the change or reset password page.

Lessons Learned

With the rising prevalence of data breaches and the sophistication of password cracking tools, protecting your passwords is vital to your account security.

Our recommendations for users are:

  1. Don’t reuse passwords across different sites
  2. Use a password manager (also effective against phishing!)
  3. Enable two-factor authentication (2FA), preferably Fast IDentity Online (FIDO), for your sensitive accounts

If you are a security practitioner, it’s highly recommended to:

  1. Perform active detection of compromised credentials for your users
  2. Motivate your users (encourage them to use a stronger password, suggest them to turn on 2FA, etc.) to improve their account security
  3. Take actions on suspicious account activities and proactively protect users

To learn more about engineering at Pinterest, check out the rest of our Engineering Blog, and visit our Pinterest Labs site. To view and apply to open opportunities, visit our Careers page.

--

--

--

Inventive engineers building the first visual discovery engine, 300 billion ideas and counting.

Recommended from Medium

Introducing the HRC20 Supported Harmony ONE Wallet

How To Secure Your Work like a Pro.

Payment Gateway for Gambling operators (pre-conclusions)

{UPDATE} Царство Слов Hack Free Resources Generator

Community Update — November/December

SPEX Forensics Algorithms Used to Solve Cold Cases

Sentinel: Protect yourself now!

Verida Q1 2022 Review

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Pinterest Engineering

Pinterest Engineering

https://medium.com/pinterest-engineering | Inventive engineers building the first visual discovery engine https://careers.pinterest.com/

More from Medium

3 Innovations While Unifying Pinterest’s Key-Value Storage

A diagram showing one set of users calling a single KVStore API, which interfaces with a single underlying Key Value storage engine architecture. This illustrates the relative simplicity compared to the previous image which showed multiple systems to choose from.

Becoming a GDE: a 360 ° Personal Growth Path

Event Processing Pipelines: Observing and Optimising (Part 2)

Data Feast — A Highly Scalable Feature Store at Dream11