The location is an option, so not every status has one, and even if it does, it always says "near Zagreb, Croatia", which is 120km from the town I live in...
I think you can set a security option called "approval of the login" or something, where it sends a security code to your mobile phone whenever you login from an unknown device (another computer). It should be in options - security: https://www.facebook.com/settings?tab=security
First of all, get a life...
Second of all, my password didn't contain any "basic" info (names, adresses, phone numbers, or anything similar, but it was a word which had sense followed by 3 numbers)...
There you go, it's actually very possible to guess these, password like "moonpie774" is pretty vulnerable against dictionary attack. Even "zzzz" is safer in this respect as trying all combinations from "aaaa" to "zzzz" requires 456 976 attempts whereas "moonpie0" to "moonpie9999" needs only 11110 attempts.
See MadCatX's post. The very fact you say "oh it's a word which makes sense followed by 3 numbers" shows poor security and means that it's probably quite easy to actually get your password...friend watching over your shoulder. I am into IT Security (I'm not a master but have a good understanding of these kind of "hacks) and a dictionary word followed by 3 numbers is very easy to crack, a matter of hours for a good home PC with cracking software.
Are you out of your mind? words not safe enough? Oxford dictionary contains over 200,000 words. Add some digits behind that and the chances (if the password is known to be a word) are one in 999 x 200,000 if you have 3 digits behind and the guesser will go through them randomly knowing there's at most 3 digits. The number of possibilities is near 200,000,000. Maybe you have some capital letters too. A few in a seemingly random order. That will make it impossible to guess your password even with few million tries (facebook has a protection so you can't even try those few million times).
In real life that ''hacker'' won't even know you way of creating the password (whether you have words, in which language, digits in front of the word, after the word or in the middle, etc.) so if you are on a site that has ''human identification'' it's impossible for anyone to guess your password unless you reveal parts of it somewhere or to someone or are using some stupid password like ''password'' or ''lol''
And Drift: LEt's assume the server replies to your ''software'' once a second. With only 200,000,000 possibilities it would still take 200,000,000/3600 hours to go through them all which is 55,555.555 hours. That is approximately 2315 days. Even if the software could get answers 100 times a second it would still take 23 days. Of course he won't need to go through all those but without getting lucky sacrificing a computer to hack someone's account 24/7 for even a week is something no one would do. HAckers usually just go through the most used passwords with everyone and to be honest they have much better chances at that than going at random to your account and wasting weeks, months, possibly years (if you have a good password) of figuring your password.
Actually, I don't think I am. 200 000 * 11110 + some randomization like first letter in caps gives about 4.4 E9 combinations. Even if you could try only 1000 passwords per second, it'd take just 51 days to crack it. A 9 chars long password containing randomly ordered letters, numbers and special chars leads to about 5.2 E16 combinations. At 1000 p/s it would take over 1.6 million years to get this one.
Also it's not like a hacker would try to type passwords into FB login page. He'd rather sniff the communication to get the hashed password and try to get to the password by calculating an appropriate hash for all possible passwords and comparing it to the sniffed hash.
I'm not arguing that words with some mixed digits and capital letters and are better. They are however sufficient to most internet accounts like facebook. Even if you look at the hash you have so many different options that you'd have facebook send you ''have you forgotten your password'' mails for few weeks. Maybe then you'd change your password.
Words and combinations of words are fine as long as you don't have any government secrets someone would want to snatch. The odds of someone trying to hack your account seriously and that he'll succeed in it before you notice are extremely small. Besides using random letters etc has the problem that if you have several you can't possibly remember them and cause you to write them down somewhere which will cause your friends or family finding out your password and using it, so much more likely.
I agree smaller words etc are fine for non-important sites but don't use a crappy password then complain when someone "hacks" you.
ps he probably wasn't hacked, his friend either saw him type in the password/guessed it or he logged in with the "oh please remember me" (if facebook has that, I don't use it so hey).
Is it checked by default? Could have logged in at a friends house or at school/work or something.
If someone I know has left facebook logged in I will post a message saying how they are gay or how they have a crush on "first girl i see in their contact list".
Who said I remember them? I keep notes of them (all passwords actually) and if I don't know it / lost it, I've memorized the password reset routine. :3
I use a safe password for my bank accounts, e-mails and just an easy to remember word for facebook, forums, etc. Even if someone was sad enough to "hack" (btw it's way more likely that you left fb logged in on some computer) my fb then who cares tbh. I could always get a new password sent to my e-mail and laugh off whatever "damage" the "hacker" did.
Your guessing powers seem to be very weak and incorrect... I have my pass remembered on my phone, so I wasn't typing it, and noone had a hold of my phone so I'd exclude this possibility. Also, I never used anyone's PC or phone to sign in to FB, except the school one, but I didn't check the "remember login" thing, and I deleted the complete history (including saved password, cookies and all) after the login... E: I mean, when I logged out...
