Like many online companies, Twitter uses a hashing protocol to ensure that user passwords are masked when they hit servers, protecting them from potential prying eyes. Unfortunately, a bug has been disrupting this process for “several months” and has resulted in Twitter advising that all 336 million users should change their passwords immediately.
Twitter CTO Parag Agrawal explained that the fault in its bcrypt hashing function resulted in user passwords to be exposed in plaintext, “written to an internal log before completing the hashing process.”
“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” explained Agrawal, while noting that there are no signs of foul play. “We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.”
The exact number of affected users hasn’t been revealed, and the advice extending to all 336 million users seems more precautionary than an indication of all users being affected. Kaspersky Lab has commended the platform for taking responsibility by communicating this clearly with account holders, while offering its own advice on improving password security.
“This story does however, highlight the importance of using unique passwords for all online accounts, as well as two-factor authentication for added security, where it’s available,” explains Principal Security Researcher at Kaspersky Lab David Emm in an email to KitGuru.
Every password should be at least 15 characters long, however the longer the password, the more secure it will be, explains Kaspersky Lab. This should avoid all personal details such as the user’s birthday, partner’s name, family details and anything else that can be guessed or identified through online profiles.
Going as far as to avoid real words will benefit the user tremendously, especially with the inclusion of different cased letters, numbers and symbols. This should differ per account, avoiding catastrophe across multiple platforms if one is breached.
Users can make use of third-party password management systems such as LastPass or 1Password, which helps users easily achieve all of this with one master password. Most of all, however, users should always be making use of two-factor authentication, to which Twitter’s Agrawal notes “is the single best action you can take to increase your account security.”
KitGuru Says: It’s entirely possible that Twitter’s open and honest attitude stems from being closely watched thanks to the Facebook debacle, but it’s a refreshing take on the ‘swept-under-the-rug’ attitude nonetheless. Make sure to change your passwords when you can and diversify them as much as possible. When was the last time you changed your password?