Blog

Password Image Hash 640x350

Twitter Comes Clean and Users Need to React

  |   jim's digital lab

Within the last few days you may have heard that Twitter is self-reporting a potentially catastrophic event that could have been a major blow to online security. From all appearances and claims by Twitter, they escaped any hacker intrusions and your online access credentials have not been compromised. The Twitter PR machine has been running overtime this week, and the company is now sending out emails to all registered users advising them to change the login password. Here’s the scoop.

Secure Password Hashing 275x155Whenever user access credentials are created for your Twitter account, the actual password you choose is converted by an algorithmic function using what’s called “hashing.” In short, it takes whatever password that you create, such as “mypassword,” and converts this clear text set of characters into a one-way hash. In layman’s terms, the original password you created can’t be recovered from the hashed version of your password. This on-the-fly hashing is not supposed to be recorded showing both the clear text characters and the actual hashed version, and it should never be stored on Twitter servers. Only the actual hashed password should be stored within the database. That hashed password would then be “read” each time you log in to your account to make sure it is really you.

Twitter is now reporting that the password-to-hashing process was accidentally written to and saved on a database system log that, if dowloaded through a hack, could put all Twitter users’ credentials at risk. Twitter believes they removed the log before anyone accessed it. But, out of an abundance of caution…or fear (probably justifiable in this day and age)…Twitter is now emailing users suggesting they change their passwords. Click the button at the bottom of this post to read Twitter’s email.

How to Protect Your Identity

The problem is that most users re-use identical passwords for many services to which they subscribe…online bank access, PayPal, Social Security, social media, etc. Are you guilty of this? The downside is if hacked, your user access credentials invariably wind up on the dark web and are for sale in a micro-second. The assumption hackers make is that users do not change their passwords across multiple platforms. They then program their brute force hacking system bots to crawl the web looking for login screens, and they try different user names but with the same password over and over again until they break in or are blocked by sysadmins or firewalls. These brute force attacks can number in the tens of attempts, or thousands of attempts over a very short period of time. Many systems employ a fixed number of failed attempts before it sends up a security alert, and your account may be blocked until you call front line support to unlock your login screen. On the other hand, if you used 123456 as your password, your goose could be cooked! To fix this problem you can create unique user access credentials, including passwords, for each online service you use. Don’t use “admin” or “123456” as hackers use these first in any attempt to break into online services. Use between 14 and 24 random characters to make it even harder for hackers to “guess” your credentials. That way, if there is a data breach in one system, your other platforms will have far less risk for a wholesale intrusion

From personal experience I know it is a real pain to create a new password for Twitter or any online account, let alone 10-20 accounts if you counted them all. While this Twitter incident may have had no third-party intrusion into this database log, I would highly encourage you to change your Twitter password. In this day and age, you really need to be proactive in protecting your online identity. We recently learned that Facebook allowed profiling of its user community by a third-party vendor, and others may have done the same thing. Frankly, you are your own first line of defense against hackers. That means you must take passwords and user names seriously. Change them at least every 90 days. Don’t store them in a file on your computer. And, cross your fingers that your cloud-based service providers (banks, healthcare providers, Spotify, Apple, OneDrive, Dropbox, etc.) are focused on securing your online identity, too.