Why is Facebook Asking Me to Reset My Password?
From time to time – and for some people, more often – you may log into Facebook and find a message preventing you from doing so. The message takes many forms, but the end result is the same: Facebook wants you to change your password.
This isn’t some misguided attempt at computer security. Facebook doesn’t want to deal with the overhead of forcing everyone to change their passwords on a regular basis, let alone the issues they’d have processing password resets over and over for people who forget. There’s even a growing wealth of research indicating that mandatory password resets are bad. They lead people to creating lazy or simple passwords so they’re easy to remember, rather than creating strong passwords.
No, the problem is one with many causes. Facebook has detected some reason for them to be concerned about the security of your account. While they try to figure out what’s going on, they ask you to verify a login and reset your password, just in case.
For most users, this never happens. For some, it only happens in instances where your information has been compromised. For many, it happens due to apps, which I’ll discuss in a bit. Occasionally, it happens because of geographic quirks or software. More on those as well.
Regardless of why it happens, there’s nothing you can do to stop it, not really. Once Facebook asks you to change your password, you have to change it. It’s only when they’re forcing this change on you day after day after day that you have an issue you need to take care of first. I’ll bring up a few of those as we go as well.
Here are the most common reasons why you’re being asked to change your password, and what you can do about it.
You’re Accessing Facebook from Disparate Geographic Locations
Probably the number one cause of password reset requests is changing geographic locations. It’s usually a large jump, and it’s usually something that isn’t otherwise indicated as a normal movement pattern. Making a business trip across the country or to another country can cause it, though if you use Facebook on the plane or along the way, they’ll be able to track your movement and recognize that it’s actually you.
Generally, the actual problem is when you’re accessing your account from multiple geographic locations in too short an amount of time to have made the trip. If you’re using a tunnel to browse via your desktop at home and your phone abroad at the same time, it can cause issues. More likely, it’s someone compromising your account and accessing it from an unusual location. Banks have the same sort of protection, monitoring your travel habits and flagging anything out of the ordinary, which is why a sudden trip overseas might warrant talking to your bank ahead of time.
There’s no way to tell Facebook you’re on the move, so if you trip this flag while traveling, you’ll have to reset your password. Otherwise, consider leaving Facebook on while you travel, or leaving it off while you’re gone. Either way can work.
You’re Using Proxies or VPNs
This is the same issue as the above, but triggered by software. VPNs make your web traffic seem to originate from a VPN endpoint, rather than your own connection. Proxies route your traffic through numerous computers and make it look like it’s coming from its endpoint as well, with that endpoint often originating in another country entirely. If you’ve ever wondered why “U.S. Proxies” are more valuable than general proxy lists, that’s why.
Other software can cause this issue as well. TOR is a big one, since it’s basically just anonymized proxies. Anything that makes it look as though you’re browsing from a location that isn’t your own, or within a reasonable distance of your own, can cause this kind of problem.
The solution here is basically just to stop using that routing or proxy for Facebook. Honestly, if you’re concerned enough about privacy to want to use TOR or a proxy list or a VPN, you probably shouldn’t be using Facebook at all. Facebook is tracking way more information about you than the average ISP, and is being more aggressive with using it to boot.
There Was a Technical Problem
In rare cases, a technical issue can cause a disparate geographic login and cause issues. I’ve only seen this a couple times. This is one example. In it, a misconfiguration from Microsoft was double-sending clicks from the user to reset his password, making it look like he was simultaneously trying to log in from his home location and from the location of a Microsoft server farm. The geographic issue then caused Facebook to trip the flag immediately, causing another reset.
This is pretty rare, though. I wouldn’t point to it as the cause of a password reset unless it’s something happening to you every time you log in, over and over. Even then, it’s more likely to be a shady app.
Someone is Attempting to Access Your Account (Or Already Has)
Now let’s move on to a cause that might be slightly more worth worrying about. It’s one thing to trigger a password reset by accessing your own account in a way you don’t normally access it, getting flagged for abnormal behavior in the process. It’s quite another thing to get the flag because someone else is tripping that flag.
Now, someone else trying to access your account might not mean your account is compromised. Someone simply attempting to crack your password can make too many attempts in too short a span of time and get your account locked. Usually this just means you have to wait before you can log in, but now and then you may have to reset your password to get in.
The real risk here comes from someone accessing something like your email account. Imagine if someone hacks access to your email. They then go to Facebook and hit the reset password button, which sends you an email, which they intercept and use to reset your password. Now your Facebook has effectively locked you out, and the only recourse is lost because they already have control of your email.
This kind of hacking-based identity theft is not uncommon, though it’s also more frequently going to target things like your bank account rather than your Facebook page. After all, these hackers are probably going to want money rather than a glimpse at your friends list or your private photos.
Usually, the password reset prompt comes when someone is trying to access your account and fails. If they succeed, it means they have your password or were able to reset it themselves. Sometimes, though, Facebook will detect signs of a compromised account and will lock it even a while after the time it was compromised. If the hacker was subtle about it, you might never know you’ve been hacked if you don’t check your access log.
I highly recommend checking Have I Been Pwned every few months. You can plug in an email address or a specific password to see if your password has been compromised. This will only cover wide-scale data breaches, not individual, targeted hacking, but it’s still worth checking. If one of your passwords has been compromised, change it anywhere you use it.
It’s worth noting that just because a password has been pwned does not mean your password has been pwned, if it’s a common password. Something like “password123” shows up in those records over 100,000 times. It might not be attached to your accounts in any of those cases. Even so, it means it’s in a list of passwords someone can use to brute force an account, and you should change it regardless.
You’ve Been Using Unsecure Apps
Facebook has had a lot of privacy and security issues over the last few years. One of the biggest, the Cambridge Analytica scandal, came about because it was discovered that certain otherwise-benign apps were harvesting large amounts of personal data from users who used the apps, and the firm behind it was selling and using that personal information.
Now, there’s nothing new about this. Harvesting and selling information is what many of these app companies do, especially free apps. Facebook does it themselves! The thing is, you’re technically giving all of these companies permission to use your information, by accepting a EULA or terms of use. Cambridge Analytica is in trouble because they didn’t receive permission, not because what they’re doing is wrong.
The fact is, many apps that used to meet proper security guidelines no longer meet those guidelines. Anyone who installed and used those apps is going to be asked to change their password when the app is detected. I recommend you audit your apps, too, but I’ll discuss that more at the end of this post.
You’ve Been Using Apps that Violate the ToS
Some apps perform functions that violate the Facebook terms of use, community guidelines, or API restrictions. Some of them don’t even use the API or the Facebook app platform, which makes them third party apps and not Facebook apps.
This is common amongst apps that are aimed at growing a Facebook page for you. They perform actions that aren’t allowed, so they do so manually rather than using the API. They couldn’t get approved as Facebook apps, so they make you log in through them so they can take over.
These apps have unlimited access to your account, because you simply give them your password. Many do what they claim to do, even if that is against the terms of use. Facebook detects malicious activity – even when “malicious” just means rapidly following new accounts – and will lock a profile and request a password change. This is to prevent botnets from taking over accounts, but it also serves to prevent people from artificially growing their Facebook pages using one of these growth apps.
This most often happens with mobile phone apps, so make sure you remove any such Facebook-adjacent app from your phone before resetting your password. Otherwise, as soon as you run it again, you’ll trip the same flag and you’ll have to reset your password yet again.
Audit Your Apps
I highly recommend auditing your Facebook apps. Mobile phone apps too, but that’s easier. If an app is asking you to log in to your Facebook account, and it’s not using the oAuth authentication system Facebook uses, it’s probably stealing your information. Even if it does what it says it will do, and even if it’s not doing anything against the terms of use – two long shots in sequence – it’s still a compromise of your information.
At best, someone you don’t know has your password. At worst, they’ve made you part of a botnet and will mobilize your profile to promote fake news or spread viruses at the drop of a hat, as soon as they’re paid enough to do so.
I almost guarantee every one of you has encountered a friend or a friend of a friend sharing one of those fake ray-bans posts with some dumb URL, offering name-brand apparel at 10% of the usual cost. Those people are usually compromised by clicking and authorizing an app they shouldn’t have.
While clearing your mobile phone can take a hot minute, clearing your Facebook apps is a little harder. At least with your phone, you can just browse a list of all of the software on it. Facebook makes you dig into settings.
First, log into your Facebook account, changing your password if necessary to do so. Unfortunately, you can’t change your password to the old one when you’re done, so pick something you’ll remember. Use a password manager if you can, so you can use a secure password without needing to remember it.
Next, go to your settings menu. In the left sidebar you will see Apps and Websites. Click it and you will be presented with a list of apps and websites that are authenticated using your information. They fit into three categories: Active, Expired, and Removed.
Active apps are apps that can currently access your account, and are the ones most likely causing problems. Expired apps are apps that can no longer access your account, but could in the past. I recommend removing all of them. Removed is a historical list of apps you’ve removed, kept so you know if you’ve used an app that was compromised at some point.
I recommend removing any active apps that you don’t currently use. You can always authenticate again if you want to use them again. Expired apps aren’t a problem, but you can remove them all anyway.
Once you’re done there, click on the Instant Games and Business Integrations sections and do the same audit. These are other types of apps you may have used in the past, but have the same categories and the same concerns. Once done, be careful with any apps you choose to authenticate in the future.