Cómo protegemos las contraseñas de los usuarios

Pinterest Engineering
6 min readbeginner
--
View Original

Overview

The article discusses how Pinterest protects user passwords through various techniques, including the detection of compromised credentials and the implementation of security measures for high-risk accounts. It highlights the importance of user education and proactive security measures to enhance account safety.

What You'll Learn

1

How to detect compromised user credentials using internal tools

2

Why integrating real-time password verification improves account security

3

How to implement user engagement strategies for high-risk accounts

Prerequisites & Requirements

  • Understanding of password security concepts
  • Familiarity with reCAPTCHA Enterprise API(optional)

Key Questions Answered

How does Pinterest detect compromised user credentials?
Pinterest uses a tool called Pinripper that ingests both user credentials and known compromised credentials to identify matches. This process involves checking email matches first, followed by bcrypt hash comparisons for passwords, ensuring that users with compromised credentials are flagged for risk assessment.
What measures does Pinterest take for high-risk accounts?
Pinterest implements programmatic protections for high-risk accounts, such as placing accounts in protected mode when suspicious activity is detected. This includes invalidating sessions and notifying users via email, which helps prevent unauthorized access.
How does the reCAPTCHA password verifier enhance security?
The integration of the reCAPTCHA password verifier allows Pinterest to check for compromised credentials in real-time during user interactions like login and password changes. This proactive approach helps to block the use of known compromised passwords immediately, enhancing overall account security.
What are the recommendations for users to improve password security?
Users are advised not to reuse passwords across different sites, utilize password managers, and enable two-factor authentication (2FA). These practices significantly enhance account security and protect against unauthorized access.

Key Statistics & Figures

Number of users protected programmatically daily
12,000
This number reflects the proactive measures taken by Pinterest to secure high-risk accounts daily.

Technologies & Tools

Security Tool
Recaptcha Enterprise
Used for real-time verification of compromised passwords during user interactions.
Storage
S3
Used to store identified user IDs with compromised credentials for further risk assessment.

Key Actionable Insights

1
Implement a system for detecting compromised credentials using tools like Pinripper.
This approach allows for proactive identification of users at risk, enabling timely interventions to secure accounts before any damage occurs.
2
Integrate real-time password verification APIs like reCAPTCHA to enhance user security.
By checking passwords against known compromised lists during user actions, you can prevent account breaches and improve user trust in your platform.
3
Educate users on the importance of unique passwords and the use of password managers.
User education is crucial in reducing the risk of account compromise, as many breaches occur due to weak password practices.

Common Pitfalls

1
Failing to educate users about the risks of password reuse can lead to increased account compromises.
Many users do not realize that using the same password across multiple sites makes them vulnerable to breaches. Providing guidance on password management can significantly reduce this risk.

Related Concepts

Password Security Best Practices
User Engagement Strategies
Credential Compromise Detection