Facebook will never request your password over email

On Friday, I wrote a story about how Facebook was prompting users for their password when they navigate to Facebook's Update Your Security Information webpage. Users said they were confused why it was happening, and frankly so was I. The prompt was ironic to me because most users get to the webpage from a Facebook ad (Sponsored Story) called "Account Protection" pushed out by Facebook itself to help them improve their account security.

This was very frustrating to me since security experts have been warning users for years not to hand over their password willy-nilly. In my article, I pointed to a Facebook Help Center entry (emphasis mine):

I got an email asking for my Facebook password. Do not respond to the email. Facebook will never request your password, and we advise against providing your login information to anyone under any circumstances.

On Saturday, Facebook got back to me and clarified what was happening. "Our policy here is to ask a user to re-enter their password after 20 minutes has elapsed any time you attempt to modify sensitive account information – e.g. Email, phone #, security question, Page admins etc," a Facebook spokesperson said in a statement. "This check is to make sure the user is still accessing their account, and not another person who has gained access to the device."

I understood, but I wasn't satisfied. I was more annoyed with Facebook's confusing stance. I told them their documentation needed an update. Here's what I wrote:

I have tested this and it appears that the prompt indeed does not occur in the 20-minute timeframe after you login to Facebook. That being said, I have told Facebook I think their documentation needs to be updated to reflect this policy.

On Monday (today), that's what happened. While it looks like a small difference, I think it's an important one. The Facebook Help Center entry (emphasis mine) now says:

I got an email asking for my Facebook password. Do not respond to this email. Facebook will never request your password over email, and we advise against providing your login information to anyone under any circumstances.

I would have preferred for Facebook to disclose the 20-minute time limit, because that's really what was missing from the documentation. I guess Facebook users will simply have to refer to articles like this one for such specific information.

See also:

• Facebook virus or account hacked? Here's how to fix it.
• How Facebook protects users from malicious URLs
• Facebook releases official Guide to Facebook Security
• Sex sells: Men fall for Facebook scams more than women
• Facebook admits it needs to fight scams more efficiently
• Facebook Immune System checks 25 billion actions every day