A closer look at what happened with the Twitter password bug

As you've probably noticed, this morning we've awakened to a major security incident, with Twitter advising all its users to change their passwords after a bug in the company's systems that led to those passwords temporarily stored in plain text (instead of being hash, that is, disguised as a string of random letters and random numbers through an algorithm).

Outside the bat, it's important to keep in mind that this is not a security breach, a real leak of known user data – as such, because Twitter claims that the unmasked passwords were stored in an internal registry, and only there , with an investigation that found "no indication of non-compliance or misuse" of those passwords.

As David Emm, Kaspersky Lab's principal security researcher, explains: "The Twitter notification indicates that they have hash passwords using bcrypt." They say that due to an error, the unsaved passwords were stored in an internal registry. they believe that the passwords have been exposed, but they are alerting people about the safe side. "

So, the advice to change your Twitter password is a precautionary measure taken, in the words of the company, of an" Abundance precautionary".

In summary, Twitter believes that there is nothing wrong and that no passwords data has been leaked externally in any way, but obviously it can not be declared as a hermetic certainty. Hence the need for the aforementioned caution, which Twitter has been careful to frame in the least amount of light possible with the use of a term like & # 39; abundance & # 39 ;.

Of course, Twitter also advised people to change their password in "all services where you have used this password", in other words, in any online account where you have reused your Twitter password.

And many people could be on that ship, as Steve Schult, senior director of product management at LastPass, told us: "Many people are going to want to change their Twitter password today, because we know that people continue to use behaviors of quite risky password.

"In fact, in our recent password psychology survey we found that 91% knew that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so." [19659002] Raj Samani, chief scientist and partner at McAfee, added: "McAfee's recent research revealed a third of the people rely on the same three passwords for each account they subscribe to.

"If you use the same password for Twitter and several other applications and accounts, a cybercriminal only needs to access this once to potentially gain access to private and even financial information. Hopefully Twitter news motivates people to wake up and really think about the passwords they're using. "

Protect yourself

So, let's talk about the steps you can take to keep your online accounts secure when there are problems. just like this bugbear on Twitter – or even complete infractions of data where user data is definitely spilled or stolen – appear.

Probably the most important movement is to enable two-factor authentication in your accounts, at least where the sites or services in question support this (and most of the great players do now).

Two-factor authentication simply means that you need a second item to access your account: not only your password, but also, for example, a code sent by text message to your smartphone. This means that even if a malicious party manages to obtain your password, when they log in to your account, they will not be able to obtain that code (because they sent it to their mobile device), so they will fail. in his attempt to gain access.

For tips on how to set this up with Twitter, see our guide here.

David Emm of Kaspersky Lab gave the following tips to make your password as strong as possible, and to use passwords in general:

  • Make each password at least 15 characters long, but the longer , best.
  • Do not make it easy to guess. There is a good chance that personal details such as your date of birth, place of birth, name of your partner, etc., are online, maybe even on your Facebook wall.
  • Do not use real words. They are open to 'dictionary attacks', where someone uses a program to quickly test a large list of possible words until they find one that matches their password.
  • Combine letters (including capital letters), numbers and symbols.
  • Not the "recicles", p. Eg. & David1 & # 39 ;, & # 39; david2 & # 39 ;, & # 39; david3 & # 39 ;, etc.
  • Use a different password for each account to prevent all your accounts from becoming vulnerable.

That last point goes back to the point made by Steve Schult above, about the prevalence of this bad security practice, and added: "When users change their Twitter password, it is important that they select a unique and solid password that is not have used in other accounts online.

"Memorizing complex and unique passwords for each online account is almost impossible and can result in users reducing corners at the expense of their own security. Fortunately, there is technology available that can make managing your passwords easier and safer.

"When using password managers, remembering more than one password should be a thing of the past, all the work is done for you, and it's the easiest way to ensure that your accounts are secure and protected."

It is worth remembering that it is not necessary to disburse cash for a good password manager application either. gathered here the best managers and generators of free passwords.