3 things we can learn from Twitter’s password bug

Twitter found itself in hot water recently as it discovered a flaw that left users’ passwords stored in plain text.

To the uninitiated, this might not sound like a big deal. Twitter has to store your passwords somehow, right? Well, you’re partially right.

Usually, Twitter stores users’ passwords securely by ‘hashing’ them; this is a form of encryption which translates your password into a long, coded string – or a hash. When you enter your password to login, it gets translated into the hash again and, if the two strings match, you log in. Your password can be translated into the hash, but the hash can’t be translated into the password. This means passwords aren’t visible to anyone at the company and if Twitter experienced a data breach, passwords wouldn’t be accessible to the hackers.

Or they would have been, had Twitter been unfortunate enough to experience a breach during the period it was storing plain text passwords.

The social network giant has recommended that all users change their passwords; whilst this isn’t critical, Twitter recommends this as a precaution. No data breach occurred according to the statement Twitter released in conjunction with its password-change recommendation.

As TSG’s social media manager with a (naturally) vested interest in cyber-security, I’ve followed this with great interest. I’ve also followed Twitter’s advice and changed both TSG’s and my own Twitter password. When it comes to cyber-security, you can never be too safe. I’ve already set up 2-factor authentication on both accounts, and all of my other social media accounts. The TSG Twitter account is tethered to my mobile phone so I’m alerted any time someone tries to log in and only I receive the security verification codes.

What can we learn, both personally and professionally, from this?

1. Twitter did all of the right things

Bug aside, Twitter went about this in the right way. The company informed all of its users of this bug, even going as far as to explain the issue itself despite the fact that there’s little risk posed to its customers. Had the bug persisted, it would have been a disaster waiting to happen. Luckily, it was found before a breach could occur.

Not only did Twitter notify its users rather than keep the bug quiet – which, let’s be honest, would be tempting considering the reputational damage associated with any cyber-security flaws these days – it also gave advice to users on how they could further increase security on their account. In addition to changing your password, Twitter recommends that you use a strong, unique password, enable 2-factor authentication (2FA) and to consider using a password manager.

Twitter’s openness and honesty would stand it in good stead for GDPR, which comes into effect in a matter of weeks. Whilst this wasn’t a breach, Twitter followed the GDPR guidelines of notifying users of a potential issue with their data. As an avid Tweeter both professionally and personally, I feel comfortable knowing that Twitter has this in hand. Should your business experience a security flaw or data breach, follow the actions of Twitter (and certainly not Uber!)

2. Use strong and unique passwords

You could say we’ve been lucky this time. Had a hacker accessed Twitter’s user data in the period this bug was active, chances are they’d have access to more than just peoples’ Twitter accounts, because of the proliferation of password reuse.

For example, let’s say this breach occurred. The successful hacker would potentially have access to all Twitter users’ passwords. I’ve no doubt that there will be millions of users using one of the 25 worst passwords of 2017 – congratulations, you’re a hacker’s dream. A simple brute force attack could crack your accounts in no time.

The more pressing issue is that over 80% of people of all ages reuse login credentials (Keeper Security). I’ve been guilty of it myself. And the worst part of it? We’re more likely to reuse passwords on our ‘lower priority’ personal logins. For example, my online banking account passcode has always been strong and unique. But I’ve reused my Facebook password on other services. I also reused my Twitter password until a couple of years ago – worrying, because I’ve got a follower base in the thousands and, you know, a job and a reputation.

Many security experts have criticised the standard definition of a strong password, which usually insists on lowercase and uppercase letters, numbers and symbols. That’s because we struggle to remember this level of complexity and default to replacing letters with numbers or symbols – so a 5 or $ instead of S. That’s easy for a hacker to crack. The recommendation is to make your password long, with multiple unrelated words stringed together. If you’re struggling to remember your wide array of passwords – 37% of people forget at least one password once a week – it’s worth considering a password manager.

3. Enable 2-factor authentication

Let’s again imagine that your password had been accessed, and that it’s strong and unique. There’s a lot of reputational damage a hacker could do by using your Twitter account. The hacker could choose to target a particularly high-profile account with thousands or millions of followers and eagerly attempt to login. That’s when your phone pings. “xxxxxx is your Twitter login code”. You’d instantly know that your password has been compromised, but the hacker is still the one who’s foiled. They don’t have access to your phone and therefore are locked out of your account. Another method of 2FA that I use is a one-time passcode generator. This is also attached to your account and therefore can’t be used by anyone who doesn’t have access to your device or browser.

Less than a third of those online use 2FA according to Duo Security. However, that number is likely to be lower in light of the news that over 90% of Google users don’t use 2-factor authentication on their accounts. Given the ubiquity of Gmail and this empirical evidence (based on all Gmail accounts rather than a survey), we can assume that this number is likely to be more reflective of everyone.

2FA is available on a huge number of services, from Twitter and Facebook to Gmail and even a number of the business solutions you use like Office 365. It’s easy to set up and use; many users avoid setting this up because they see it as a hassle. In fact, the reason Google doesn’t make 2FA mandatory is because of usability and the fear that it would “drive out” users.

What next?

This incident is evidence that even the biggest businesses can suffer security flaws; it’s also a lesson on how to react to those flaws. Twitter would have come under serious fire if it had covered up this incident and, even though there was no data breached, it could have looked that way had Twitter not been open about it.

We should look at this as a close call and adopt best-practise recommendations when it comes to the security of our online accounts. If you’re worried about data breaches or hackers, why not take a look at our IT security section to understand which solutions will protect your business in the face of an ever-increasing cyberthreat landscape?