tglogo.png

Change Your Twitter Password Right Now

In Category Twitter News Posted by err0r On 08/17/18 Comments 0
On Thursday, Twitter chief technology officer Parag Agrawal disclosed in a blog post that the company had inadvertently recorded user passwords, in plaintext, in an internal system. This is not how things are supposed to go! And while Twitter has fixed the bug, and doesn't think any of the exposed passwords were accessed in any way, you should still change your Twitter password right now to make sure your account is secure.

"It's a bad thing and Twitter should be held to the fire for it," says David Kennedy, CEO of the penetration testing firm TrustedSec. "But they are taking the right steps by requesting everyone change their password and making the bug public versus hiding it."

Twitter has begun notifying both mobile and desktop users to change their passwords, but several people have reported errors and lags, presumably because everyone is trying to make account changes at once (which is good!).

Companies generally protect user passwords by scrambling them in a cryptographic process known as hashing. As Agrawal explained, Twitter does this, too, using a well-regarded hash function called bcrypt. But a bug caused Twitter to accidentally store passwords unprotected in some type of internal log before its password management system finished hashing them. The system would then complete the hash, and everything would look fine, even though the passwords were readable in the log. While it's great that Twitter eventually realized the situation and is taking steps to ensure that it never happens again, it's disconcerting that such a fundamental flaw in a crucial user protection existed in the first place.

"I’m sorry that this happened," Agrawal wrote on Twitter after posting the announcement. "We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do." The disclosure came on World Password Day.

It's true that Twitter could have simply implemented remediations and hoped for the best, but its users deserve to know if and when their passwords have been exposed—especially because it's always possible that the data actually was improperly accessed. And the company could have gone even farther with its disclosure. "We ask that you consider changing your password on all services where you’ve used this password," Agrawal wrote in the statement. Instead of making it optional, Twitter could have forced all of its users to change their passwords to guarantee their security.

To do just that for your own account, navigate to Settings and privacy > Password. Enter your current password and then pick a new one. And if you used your old Twitter password for any other accounts, you should change those, too.


Read full article @ https://www.wired.com/story/change-your-twitter-password-right-now/
View Forum Post & Comments