User privacy and fake account detection

[Nat]

I've been thinking about bots and automation recently. People who automate and manage huge groups of social accounts normally buy their accounts from account creators. Most of these creators use randomly generated email addresses, usernames, and passwords. Seems like some usernames/emails are gibberish and some are more realistic (like CommonFirstCommonLast447474@). But, the passwords are almost always completely random like 4nfEI8&h6ynef. Passwords like this are, something that 99.999% of real people would never use.

I'm not sure, but it seems like it would be very easy for social networks to notice this (without infringing on a user's privacy). Couldn't a network like FB or Insta notice a gibberish password connected with a (most likely) somewhat random looking brand new account? And then notice that the next activity on the account will often be a log-in from a new IP and a username change?

The probability of a random password + inactivity for x timespan + new IP + new username / lots of generic follows + a link added within a week of fresh activity seems like enough to insta-ban an account.

 

[Michael]

But, the passwords are almost always completely random like 4nfEI8&h6ynef.

Man I always use these types of passwords, and I'm sure many more people do too. A lot of password managers will have an inbuilt option to generate a password like that because it's incredibly hard to crack (both manually and by a computer).

I don't think they really have the resources to be analyzing passwords either. I mean if they were stored in plaintext they could, but let's be honest any serious social networking site isn't storing plaintext passwords. Couldn't imagine the resources requires to decrypt 10,0000,000 passwords, analyse, repeat.

I agree with the email part but. When I have bought facebook accounts, I've always gotten something like [abcdefghi123456@unknownemail.com]. The green and blue will always be randomly generated. Surely this sort of shit rings alarms bells with these big SN platforms?

 

[Nat]

@Michael we use these kinds of passwords, but I'd need someone to post a link to some big data analysis to convince me that even .1% of 'normal' social media users do this as well. And then couple that with a few other factors..

Social networks check passwords on registration because they reject weak passwords. Couldn't they add a tag to accounts with incredibly secure passwords without running the password through massive analysis? It doesn't take much computation power to note how many upper case, lower case, numbers, and special characters are in a password + look into the character ordering. This tag wouldn't need to hold a huge weight, but coupled with some other behavior sequences that are easy to tag, it seems like they could wipe out a huge % of spam accounts.

 

[Michael]

@Michael we use these kinds of passwords, but I'd need someone to post a link to some big data analysis to convince me that even .1% of 'normal' social media users do this as well. And then couple that with a few other factors..

That's true. Whenever a hacker dumps a database of passwords, the top ten are usually words like 'god123', 'iloveyou' and other easy shit.

Social networks check passwords on registration because they reject weak passwords. Couldn't they add a tag to accounts with incredibly secure passwords without running the password through massive analysis? It doesn't take much computation power to note how many upper case, lower case, numbers, and special characters are in a password + look into the character ordering. This tag wouldn't need to hold a huge weight, but coupled with some other behavior sequences that are easy to tag, it seems like they could wipe out a huge % of spam accounts.

Ah I thought you meant conduct mass analysis on all account that looked "really secure". That being said, aren't things like:

• Checking useragents
• Checking IP against known spamming IPS? Facebook have gotten good at this, they just autoban certain c class IPS (personally tested with private proxies)
• Browser fingerprints
• Where the email was registered from (i.e temporary emails)

More of a fare approach? I mean I don't think it's fair to tag me as a spammer if I use a strong password.

But to tag someone who posts a link within 30 minutes of creating their account as a spammer seems more fair.

 

[Nat]

Ah I thought you meant conduct mass analysis on all account that looked "really secure". That being said, aren't things like:

• Checking useragents
• Checking IP against known spamming IPS? Facebook have gotten good at this, they just autoban certain c class IPS (personally tested with private proxies)
• Browser fingerprints
• Where the email was registered from (i.e temporary emails)

I guess the main reason I started this thread is because it seems to me that social networks don't check for the conditions I posted in the OP, and they do check for most of the conditions that you posted as examples. I think a lot of sites already do check user-agents, IPs, and most sites won't let even you reg with a temp email.

I wouldn't be surprised in the least if big sites do check for all of these things -- which is why I'm surprised so many spammers are still getting away with it at such crazy rates.

More of a fare approach? I mean I don't think it's fair to tag me as a spammer if I use a strong password.

But to tag someone who posts a link within 30 minutes of creating their account as a spammer seems more fair.

In my imaginary system, I specified that

This tag wouldn't need to hold a huge weight, but coupled with some other behavior sequences

What I meant was, something like this... a tag would hold a weight between .99~ and {threshold}. When an account's weight is below a threshold, the account is banned.

For instance some tags:

incredibly secure password --> .8
(second || third) log-in is new IP --> .95
new IP log-in changes username && second log-in --> .78
new IP log-in changes username && 5th log-in > log-in--> .96
adds link before posting --> .97
follows > 800 && 7 days > account age --> .40
follows > 1,500 && 7 days > account age --> .15
log-in IP associated bans > 20 --> .2
​

Some kind of weight decay ~ Account age or + tags would increase an account's life.

So, in this system that I threw together in ~5 minutes, an account with generated pass + a second log-in with new IP that changes username + follows 801 people in 7 days would have a tag sum of .78 * .8 * .4 = 0.2496. If the {threshold} was .25 it would be banned.

 

[CCarter]

ALL my passwords are ridiculously long 60+ characters. Most smarter people tend to generate a password and just let the browser save the password. If you are locked out, reset the password, shouldn't be that difficult.

Secure password would never be used to detect fake accounts. Literally every system administrator and network admin WANTS users to use more secure password which they do not use on any other platforms. Everything else, sure, but passwords no. Also you have to realize when it comes to storing password you can analyze the password right before you encrypt it into the database since the data is sent in plaintext to the server (hopefully behind SSL) and save it into the system. So if you detect traditionally bad passwords like '123456', 'password' or others it wouldn't be that hard to reject it.

So, in this system that I threw together in ~5 minutes, an account with generated pass + a second log-in with new IP that changes username + follows 801 people in 7 days would have a tag sum of .78 * .8 * .4 = 0.2496. If the {threshold} was .25 it would be banned.

You are thinking way too in-depth on this. You just need an IP you've never used on that system and a new browser-agent and simply make sure to only use that IP with that browser agent and you can get pass 99% of systems. Make sure you clear cookies obviously, I've caught tons of people cause they never bothered to clear cookies - shit is amazing.

 

[Michel]

ALL my passwords are ridiculously long 60+ characters. Most smarter people tend to generate a password and just let the browser save the password.

Dont you ever run into character limitations? I have mine at 20 characters since that is the most allowed from my experience.

 

[CCarter]

Dont you ever run into character limitations?

Rarely. I would say 1 in 30 may not take the limit, but I dunno I am not generally creating accounts on social media and where the masses create accounts. I guess if I were it would be 1 in 10 ratio? I've got a script that allows me to select the character amount, I always default to 100 TBH. I said 60 so I don't look insane.

 

[ryandiscord]

I'm a fan of random phrases as passwords. They're long and I can remember them.

 

[CCarter]

I'm a fan of random phrases as passwords. They're long and I can remember them.

But hopefully you aren't using them on more than one place at a time.

If lets say Yahoo got breached (like in 2012 or 2014 or 2015) and you used that same password on lets say skype, then hackers would be able to login to your skype and start sending baidu links to all your contacts (hence the reason in an uptick in compromised skype accounts).

People using the same passwords on breaches platforms are the #1 reason they get compromised on other platforms. Hackers buy the breached data then try the password for account at other places. Using a random password on each platform stops that problem in case the platform gets breached - they don't get access to lots more stuff.

 

[ryandiscord]

But hopefully you aren't using them on more than one place at a time.

I had been guilty of doing this with older accounts. I forget when Yahoo acquired flickr so I had to go back and double check if I had repeated that password when I found out about the last breach.

Do you use a password manager? I've been using keepass on my desktop, while phrases are easier to remember, I still don't want to have do it.

 

[CCarter]

Do you use a password manager? I've been using keepass on my desktop, wh

No, I just use the built in browser one. I wouldn't use anything cloud base or 3rd party - they add a new potential threat. Only way to gain access should be physical, and if you have physical access of my devices, I am already dead and give zero fucks.