Authors: JordanAs youve most likely noticed, this morning weve woken up to a major security incident, with Twitter advising all its users to change their passwords following a bug in the companys systems which led to those passwords temporarily being stored in plain text (rather than being hashed, ie disguised as a string of meaningless random letters and numbers via an algorithm).Off the bat, its important to note that this is not a security breach an actual known leak of user data as such, because Twitter asserts that the unmasked passwords were stored in an internal log, and only there, with an investigation finding no indication of breach or misuse of those passwords.As David Emm, principal security researcher at Kaspersky Lab, explains: Twitters notification indicates that they hash passwords using bcrypt.
They say that, because of a bug, unhashed passwords were stored in an internal log.
They dont believe that the passwords have been exposed, but are alerting people just to be on the safe side.So the advice to change your Twitter password is a precautionary measure taken, in the firms words, out of an abundance of caution.In short, Twitter believes that there is nothing awry, and no password data has been leaked externally in any form, but evidently cant declare this as a watertight certainty.
Hence the need for the aforementioned caution, which Twitter has been careful to frame in the least-worrisome light possible with the use of a term like abundance.Of course, Twitter also advised folks to change their password on all services where youve used this password in other words, on any online accounts where youve reused your Twitter password.And a lot of folks could be in that boat, as Steve Schult, senior director of product management at LastPass, told us: Many people are going to want to change their Twitter password today, because we know people are continuing to use some pretty risky password behaviors.In fact, in our recent Psychology of Passwords survey we found that 91% knew that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so.Raj Samani, chief scientist and fellow at McAfee, added: McAfees recent research revealed a third of people rely on the same three passwords for every account theyre signed up to.If you use the same password for Twitter and a number of other apps and accounts, a cybercriminal only needs to get their hands on this once to potentially gain access to private and even financial information.
Hopefully Twitters news will prompt people to wake up and really think about the passwords theyre using.Protect yourselfSo, lets talk about the steps you can take to best maintain the security of your online accounts when issues like this Twitter bugbear or indeed full-on data breaches where user data is definitely spilled or stolen crop up.Probably the most important move to make is to enable two-factor authentication on your accounts, at least where sites or services in question support this (and most big players do these days).Two-factor authentication simply means you need a second element to access your account: not just your password, but also, for example, a code texted to your smartphone.
This means that even if a malicious party does manage to obtain your password, when they go to log in to your account, they wont be able to get that code (because its sent to your mobile), and so theyll fail in their attempt to gain access.For advice on how to set this up with Twitter, check out our guide here.David Emm from Kaspersky Lab imparted the following tips on making your password as strong as possible, and on password usage in general:Make every password at least 15 characters long but the longer the better.Dont make them easily guessable.
Theres a good chance that personal details such as your date of birth, place of birth, partners name etc, can be found online maybe even on your Facebook wall.Dont use real words.
They are open to dictionary attacks, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.Combine letters (including uppercase letters), numbers and symbols.Dont recycle them, e.g.
david1, david2, david3, etc.Use a different password for each account to prevent all of your accounts becoming vulnerable.That last point comes back to the point made by Steve Schult earlier, regarding the prevalence of this bad security practice, and he added: When users change their Twitter password its important they select a unique, strong password that hasnt been used on other online accounts.Memorizing complex, unique passwords for every online account is nearly impossible and can result in users cutting corners at the expense of their own security.
Thankfully theres technology available that can make managing your passwords easier and more secure.By using password managers, remembering more than one password should be a thing of the past.
All the work is done for you, and its the easiest way to ensure your accounts are secure and protected.Its worth remembering that you dont need to fork out cash for a good password manager app either weve rounded up the best free password managers and generators here.