Twitter has announced a warning to its 336 million users to change their passwords after the company discovered a bug that stored passwords in plain text in an internal system. IT security experts commented below.
Jesper Frederiksen, Head of EMEA at Identity Management Specialists Okta:
“With just three weeks until the GDPR deadline, organisations are still not taking data ownership seriously enough. Although Twitter should be commended for acting fast and urging its customers to change their passwords after a bug exposed them, it should have done more to protect its customer’s data before the issue arose.
Every company must understand the importance for robust and fair data ownership. In the era of GDPR, breaches will cause major financial and reputational damage and with daily reports of data breaches, businesses need to look at alternative ways to protect important information. Distilled down, the management of identity will help define and evolve data access. Passwords are no longer strong enough as a standalone form of protection.
Multi-factor authentication, combining passwords with other factors such as physical tokens or biometrics should be part of your security strategy. Introducing a discrete identity system that removes any reliance on personal information will also ensure safety because stolen personal information would become worthless on the black market, acting as deterrent to hackers.”
Pravin Kothari, CEO at CipherCloud:
“Best practices in password management suggest that online services such as Twitter will benefit from a Zero Trust assumption. Zero Trust tells us that all networks are to be considered unsafe and that at some point they will be successfully compromised. With this in mind, 2-factor authentication has emerged as the best practice for accessing systems of any type and will protect users even when their password is compromised.
Most online services are rapidly moving in that direction. Every online service and their users, including Twitter, will benefit substantially from the additional protection of 2-factor authentication.”
Lee Munson, Security Researcher at Comparitech.com:
Twitter passwords being stored in plain text does not sound great but, according to the social media giant itself, there appears to be little to no risk that user credentials have made it out into the wild. That said, it is curious as to why Twitter would have any passwords stored in plaintext at any given moment in time when it otherwise claims all login credentials are encrypted. For that reason alone, all users of the social network should follow the company’s advice and change their passwords immediately, paying careful attention to ensure the replacement is long, complex and not used anywhere else online – a password manager would certainly be a useful tool for achieving this.
Paul Walker, Technical Director at One Identity:
“Here we go again, another please change your password urgently, we screwed up. At least this time we’ve been notified, this is a huge step in the right direction, user notification is a key facet of the upcoming EU GDPR directive and it’s great to see Twitter taking this action. So I’ve changed my personal Twitter password, what next? This recent notification from Twitter reinforces the fear that info-sec professionals have over the use of SaaS for corporate social media. These days most organizations have a social media footprint of some kind, that of course includes Twitter. Given the potential to corporate reputational damage from the mis-use, or breach of corporate social media accounts these accounts should be treated in the same way as any privileged account.
So ask yourself, who within your organization is responsible for the organizations Twitter account, what governance processes are in place around the regular change of this password and what password policy is in place? The likelihood is that this is a manual process today, even more so due to the fact that Twitter offers no API to programmatically change account passwords. All is not lost, recent innovation in the form of Privileged Passwords provides the governance security framework to enforce regular password changes on social media accounts, including Twitter.”
“Even though Twitter users’ details were not exposed to malicious actors in this instance, it just goes to show that relying solely on usernames and passwords is irresponsible. With the majority of data breaches occurring due to lost and stolen credentials businesses need to look seriously at how they provide identity security. Ultimately, we need to ditch the password completely.
“Twitter’s recommendation of activating two-factor authentication just isn’t enough. To provide robust identity security, organisations need to go further than just two-factor authentication. Implementing adaptive authentication that combines techniques such as geographic location analysis, device recognition, IP address based threat services, and phone fraud prevention will help address the threats at the identity level efficiently.”
Raj Samani, Chief Scientist and Fellow at McAfee:
“While the irony of Twitter disclosing its password bug on World Password Day can be considered poor timing, it highlights the issue with relying on single-factor authentication to protect our digital lives. Twitter has urged millions of users to update their passwords and now’s the time to think about how, as individuals, we can increase the security measures we’re putting in place.
“McAfee’s recent research revealed a third of people rely on the same three passwords for every account they’re signed up to. If you use the same password forTwitter and a number of other apps and accounts, a cybercriminal only needs to get their hands on this once to potentially gain access to private and even financial information. Hopefully Twitter’s news will prompt people to wake up and really think about the passwords they’re using.”
- Create Strong Passwords. Never use family names, pets, birthdays, “12345” or “password”. Many websites and apps will prompt you to include a combination of numbers, lowercase and uppercase letters, and symbols and this is for good reason. The harder your password is to guess, the harder it is to crack.
- Use unique passwords for each of your accounts. Today’s hackers are smart, if one of your passwords is hacked, there is a high chance the hacker will try and hack all of your accounts. Use different passwords to ensure your critical information across email, social media and banking apps is protected.
- ‘Forgot password’ problems. Relying on ‘forgot your password’ link as a fallback option within a webmail service or other site isn’t a wise move. The answers to the questions asked to unlock your account are often easily found on social media profiles of yourself or your friends/family, making the code easy to crack for hackers.
- Use a password manager.All of the above is great, but how are you supposed to remember 20 or more unique passwords? The answer is simple: a password manager. McAfee True Key App, for example, will help you to create complex and strong passwords and auto saves them so you don’t have to remember each and every one.
- Double up on protection. Advances in biometric technology such as fingerprint scanning and face and voice recognition are helping to improve security. Using a password in conjunction with at least one other authentication technique will help to protect your devices and data.
Dr. Richard Ford, Chief Scientist at Forcepoint:
“I think Twitter very much did the right thing here: they had no hard evidence that these passwords had been spilled outside their walls, but decided to go public to be sure. That’s a good step, and for that, they get a gold star, so well done Twitter! Second, Twitter has provided support for two-factor authentication for quite some time, so if you have an account you really care about, using some form of 2FA would mean that even if your password was leaked, no real harm was done. So again, I’d consider all of that positive. There’s a lot of good to celebrate here, as odd as that sounds.
Broadening the aperture a bit, let’s talk about this in the sense of the overall ecosystem. As a security practitioner with over a quarter of a century (gosh, when I write it like that it sounds like forever!) experience, I’m still surprised that high-value accounts can be protected with just a simple password in 2018! We can and should do better, and I’d like to hope this is a bit of a nudge to do that. Embrace 2FA (2 Factor Authentication), don’t reuse passwords, and you will be safer online, period. Even well-intentioned systems like Twitter can – as we’ve seen – inadvertently leak information to insiders. While defense in depth helps here (solutions that look at data exfiltration and file access, for example, would help determine that nothing was taken, at least in bulk), users have to be savvy and take a bit of control over their own destiny in order to minimize their personal exposure. As for me, I’ll be getting online as soon as I get done here and resetting my password… and just so we’re clear on this, “Password123!” would be a bad choice. Just saying.”
David Emm, Principal Security Researcher at Kaspersky Lab:
“Twitter’s customer notification indicates that they hash passwords using bcrypt. They say that, because of a bug, unhashed passwords were stored in an internal log. They don’t believe that the passwords have been exposed, but are alerting people just to be on the safe side. By communicating this alert clearly with account holders, Twitter has shown responsibility to improve the authenticity of its customers’ passwords, while also upholding the company’s integrity.
“This story does however, highlight the importance of using unique passwords for all online accounts, as well as two-factor authentication for added security, where it’s available.”
Kaspersky Lab recommends the following advice for those looking to choose a new password in light of the Twitter password bug discovery:
- Make every password at least 15 characters long – but the longer the better.
- Don’t make them easily guessable. There’s a good chance that personal details such as your date of birth, place of birth, partner’s name, etc. can be found online – maybe even on your Facebook wall.
- Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
- Combine letters (including uppercase letters), numbers and symbols.
- Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.
- Use a different password for each account to prevent all of your accounts becoming vulnerable. If you find it hard to remember unique complex passwords, use a password manager to help you create, store and remember your passwords securely.
- Make use of two-factor authentication where available, as it adds an extra layer of security.
- If you suspect your password has been compromised, change it immediately
Marco Cova, Senior Security Researcher at Lastline:
“The leak of passwords and other secrets in logs and analytics systems is unfortunately a more common issue than one may think; for example, a very similar incident occurred a couple years ago at OneLogin, Twitter has done the right thing: they fixed the bug and have been transparent about it. Having systems that actively look for this kind of leaks in internal logs is another valuable preventative measure that companies can use.”