A closer look at what happened with the Twitter password bug


As you’ve most likely noticed, this morning we’ve woken up to a major security incident, with Twitter advising all its users to change their passwords following a bug in the company’s systems which led to those passwords temporarily being stored in plain text (rather than being hashed, ie disguised as a string of meaningless random letters and numbers via an algorithm).

Off the bat, it’s important to note that this is not a security breach – an actual known leak of user data – as such, because Twitter asserts that the unmasked passwords were stored in an internal log, and only there, with an investigation finding “no indication of breach or misuse” of those passwords.

As David Emm, principal security researcher at Kaspersky Lab, explains: “Twitter’s notification indicates that they hash passwords using bcrypt. They say that, because of a bug, unhashed passwords were stored in an internal log. They don’t believe that the passwords have been exposed, but are alerting people just to be on the safe side.”

So the advice to change your Twitter password is a precautionary measure taken, in the firm’s words, out of an “abundance of caution”.

In short, Twitter believes that there is nothing awry, and no password data has been leaked externally in any form, but evidently can’t declare this as a watertight certainty. Hence the need for the aforementioned caution, which Twitter has been careful to frame in the least-worrisome light possible with the use of a term like ‘abundance’.

Of course, Twitter also advised folks to change their password on “all services where you’ve used this password” – in other words, on any online accounts where you’ve reused your Twitter password.

And a lot of folks could be in that boat, as Steve Schult, senior director of product management at LastPass, told us: “Many people are going to want to change their Twitter password today, because we know people are continuing to use some pretty risky password behaviors.

“In fact, in our recent Psychology of Passwords survey we found that 91% knew that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so.”

Raj Samani, chief scientist and fellow at McAfee, added: “McAfee’s recent research revealed a third of people rely on the same three passwords for every account they’re signed up to.

“If you use the same password for Twitter and a number of other apps and accounts, a cybercriminal only needs to get their hands on this once to potentially gain access to private and even financial information. Hopefully Twitter’s news will prompt people to wake up and really think about the passwords they’re using.”

Protect yourself

So, let’s talk about the steps you can take to best maintain the security of your online accounts when issues like this Twitter bugbear – or indeed full-on data breaches where user data is definitely spilled or stolen – crop up.

Probably the most important move to make is to enable two-factor authentication on your accounts, at least where sites or services in question support this (and most big players do these days).

Two-factor authentication simply means you need a second element to access your account: not just your password, but also, for example, a code texted to your smartphone. This means that even if a malicious party does manage to obtain your password, when they go to log in to your account, they won’t be able to get that code (because it’s sent to your mobile), and so they’ll fail in their attempt to gain access.

For advice on how to set this up with Twitter, check out our guide here.

David Emm from Kaspersky Lab imparted the following tips on making your password as strong as possible, and on password usage in general:

  • Make every password at least 15 characters long – but the longer the better.
  • Don’t make them easily guessable. There’s a good chance that personal details such as your date of birth, place of birth, partner’s name etc, can be found online – maybe even on your Facebook wall.
  • Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
  • Combine letters (including uppercase letters), numbers and symbols.
  • Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.
  • Use a different password for each account to prevent all of your accounts becoming vulnerable.

That last point comes back to the point made by Steve Schult earlier, regarding the prevalence of this bad security practice, and he added: “When users change their Twitter password it’s important they select a unique, strong password that hasn’t been used on other online accounts.

“Memorizing complex, unique passwords for every online account is nearly impossible and can result in users cutting corners at the expense of their own security. Thankfully there’s technology available that can make managing your passwords easier and more secure.

“By using password managers, remembering more than one password should be a thing of the past. All the work is done for you, and it’s the easiest way to ensure your accounts are secure and protected.”

It’s worth remembering that you don’t need to fork out cash for a good password manager app either – we’ve rounded up the best password managers here.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).