Help! My Facebook account has been hacked!

Well…maybe not. Let’s look a little closer.

First things first, CHANGE YOUR PASSWORD!!! A good password is at least 8 characters long (longer is better), has at least an uppercase letter, a lowercase letter, a number, and a symbol. Why am I such a stickler for secure passwords? Let’s do the math. There are 26 letters in the alphabet…that is 26 uppercase letters and 26 lowercase letters. There are 10 numbers. There are at least 18 symbols that are easy to create with a 104 key keyboard.

So that means:

  • An 8 character password that uses lowercase letters only has 26^8 possible password combinations. 26 to the 8th power = 208,827,064,576.
  • An 8 character password that uses uppercase AND lowercase letters only has 52^8 possible password combinations. 52 to the 8th power =  53,459,728,531,456.
  • An 8 character password that uses uppercase letters, lowercase letters, and numbers has 62^8 possible password combinations. 62 to the 8th power =  218,340,105,584,896.
  • An 8 character password that uses uppercase letters, lowercase letters, numbers, and up to 18 symbols has 80^8 possible password combinations. 80 to the 8th power =  1,677,721,600,000,000.

Which level of protection would you rather have protecting your Facebook account (not to mention your email, other social media, medical, and banking accounts)?

On a modern computer, it takes about 0.0017 milliseconds to compute a hash. This translates to about 1.7*10^-6 seconds per password or 588,235 passwords per second. There are options that could make the operation faster.

Let’s do some more math:

  • 8 character, lowercase letters only would take approximately 2 days to run through all the combinations
  • 8 character, upper and lowercase letters would take approximately 1.44 years to run through all the combinations
  • 8 character, upper and lowercase letters and numbers would take approximately 5.88 years to run through all the combinations
  • 8 character, upper and lowercase letters, numbers and symbols would take approximately 45.2 years to run through all the combinations.

Of course, there are always exceptions to the rule. With newer technology, botnets, and GPU’s among others, these time can be shortened quite a bit. Why not add a few more characters to your password? Each additional character is an order of magnitude greater possible combinations.

If your friends have reported to you that they received a second, third, or fourth (or more) friend request from you, then you probably haven’t been hacked. More than likely, your Facebook account name has been spoofed. This means that someone has used your name to create another Facebook account and is looking for people to friend them. The spoofer can then use the data they gather from your friends to either attempt to mine info from them to sell or to use themselves.

There isn’t much you can do about spoofing. You can block the offending account on Facebook. You can (and should) read what Facebook has to say on the topic by visiting

Remind your friends that you are already friends with them on Facebook. By all means, teach them about security.

If you think your computer has been compromised, please do not hesitate to contact us for a security scan. In most cases we can do it remotely. Our number is 936.559.7797.

Comments are closed, but trackbacks and pingbacks are open.