Twitter's security breach: a reminder to choose and use web passwords wisely.

Discuss

18 Responses to “Twitter's security breach: a reminder to choose and use web passwords wisely.”

  1. GiantSnowman says:

    Last week I signed up for 4 different forums just to see if anything interesting was written in them. All in all I think I have about 20 accounts on online forums and services at the moment. Sometimes I start to register to a forum and it turns out that I signed up last year and forgot about it.

    I can’t imagine actually using different usernames and passwords for all of them, I’d never be able to keep track. I wish there was some single system I could trust to verify that I am the same person without building up another database on all my online activities.

  2. Anonymous says:

    Strong passwords and password/pattern reuse should have no bearing on the sensitivity of the contents of any properly implemented web site authentication database, because that information should always be salted (combined with a random value) and hashed (reduced to a digital signature), and never stored in the clear. A hacker gaining access to the database would then have no way of utilizing any authentication information on any other web site or system.

    - Michael

  3. OoerictoO says:

    what i want to know is:

    WHY would ANYONE, let alone a corporation, use google docs for sharing/collaboration of private information?

    google, by their TOS have access to ALL the verbiage therein. that’s how they make money.
    maybe i’m wrong about docs and that only applies to gmail/calendar?
    if i were google, the temptation to see what twitter has planned might be all too alluring.

    i really need to get the gmail monkey off my back.

  4. Anonymous says:

    LOL. Passwords are inherently insecure (just like social security numbers). Online financial transactions should require a crypto key device (such as the RSA keyfob) or a one-time pad (printed on the back of monthly statements).

    Maybe the increasing frequency of high-level cracked accounts will finally spark someone to implement a real security mechanism for online services.

  5. OoerictoO says:

    @GIANTSNOWMAN:

    http://openid.net/

  6. Anonymous says:

    Regarding the issues of posting the docs… if that is improper, then so is the practice of low-brow newspapers publishing scurrilous and embarrasing dirt that they find on ‘celebrities’.

    I’m not arguing for or against: just that if one is made unlawful, then the other should be to. Viz France’s very strong privacy laws.
    TimH

  7. nowen says:

    OpenID will help reduce the number of passwords that you have, but you really need two-factor authentication. This is an option with the Enterprise version of Google Apps your Domain using open source two-factor authentication:

    http://www.howtoforge.net/two-factor-authentication-for-google-apps-for-your-domain-using-sso-saml-and-wikid-strong-authentication-server

    Enjoy.

  8. ericblair says:

    Yeah, sure, we’re all going to have strong unique passwords for each one of our six thousand random accounts with different password requirements and expiration intervals without writing them down or otherwise storing them somewhere. This model simply does not work for anyone who hasn’t got photographic memory. I’ve settled on a low-security password that I commonly use for non-sensitive sites, and several high-security ones for financial and medical stuff.

    The problem now is a sort of arms race by IT departments to require longer passwords with more special characters and shorter expiration intervals. How many people are going to commit a 15-character password with multiple special characters that expires every 45 days to memory, and who is going to write it on a sticky or keep it in a spreadsheet? It looks good to management, but it isn’t secure because of the way you’re forcing users into workarounds.

  9. imron says:

    It’s not the passwords that were the problem. It was the “forgot your password” secret question, which is usually quite easily guessable by anyone who knows even the tiniest bit of personal information.

    I hate it how so many websites have this “feature”, which is typically a mandatory field of the sign-in process and is a gaping security hole. Even worse are the ones that don’t let you specify your own question and put in things like “mother’s maiden name”, “place of birth”, “first pet” etc, which any other family member or close friend would easily know. Personally I always just fill this field in with a long string of random keypresses that I will never be able to re-type, and no-one will ever be able to guess.

  10. Anonymous says:

    I like lastpass.com so far. Has it been compromised?

  11. Anonymous says:

    Isn’t is also a bad idea for Twitter to be using Google Apps in the first place? Posting sensitive information on a potential competitor’s website isn’t usually a good idea. I know Google Apps isn’t supposed to “peek”, but still. At this point, can’t Twitter afford Open Office.

  12. waterlovinguy says:

    DON’T remember passwords. Remember a FORMULA for your passwords. For example:

    First letter of site, capitalized + favorite food + dogs’s name + some number
    (No this is not my formula, sorry)

    If you do this, you can have a unique password for every site, yet you only need to remember one thing.

  13. RevEng says:

    There are multiple problems here.

    First, these aren’t just average Joe’s — these are employees of a high-profile company. High-profile means they will be directly targeted by people who wish to get inside Twitter. Using a stronger password might keep script kiddies from accessing your bank account, but it won’t keep a determined attacker from finding a way in.

    The failures start with the “secret question”. The question isn’t a secret and, most of the time, neither is the answer. Almost every question ever used could be looked up in public records. Most of the time, different websites use the exact same questions.

    This leads to another problem: common credentials. Crack the password to your x-forum account, and they also know the password to your email, Twitter, Google, and hundreds of other websites, because most people use the same login name and password across sites.

    This is compounded by timeliness. A password is “something you know”, which means once somebody else knows it, they also have complete control. The only way to stop them is to change the password — if they don’t do it first. Until you change it, they can walk in any time they like. Knowledge is a fluid thing — it can be read or overheard, captured, and distributed infinitely. A single leak of that password is all that is needed to compromise your account. That’s where two-factor authentication comes in: it’s a lot harder to get a hold of something physical, like the keyfob on your keyring, and it’s exponentially more difficult to get that and your password both at the same time.

    The problem goes beyond the passwords themselves. Even the best password in the world can be grabbed by a keylogger or pillaged from a poorly-designed database. Even salting and hashing can only do so much — offline brute-force of large database, using rainbow tables and cheap distributed computing, can yield a password within minutes. How says you even need to break in through the front door? Many websites are built in shaky ground, with plenty of well-known exploits that making accessing administrative services trivial. All the up front security in the world doesn’t matter when your website is running on IIS on an old, unpatched Windows 2000 box.

    Security is hard because: a) the attacker(s) always have more motivation and resources than you do, and b) the attacker only has to overcome the weakest link.

    I’m not saying it’s impossible to make yourself more secure, but anybody who thinks you can be “secure” (in the sense that you are impervious to attack) is kidding themselves. Security is about mitigating and reducing risk, not eliminating it. Security breaches will always happen.

  14. robulus says:

    @Dorothy

    I don’t have much on an answer for you, but I applaud the use of stanzas in your comment.

    Nice job.

  15. mdh says:

    I applaud the use of stanzas in your comment.

    seconded

  16. Anonymous says:

    Many banks in the UK now issue these little card reader RAS devices (like little calculators) you have to use for any but the most basic online transactions. First Barclays, now Smile, probably more. Assumed this was a global roll-out… Surely to become so.
    Dan

  17. nosehat says:

    #3: “It’s not the passwords that were the problem. It was the “forgot your password” secret question, which is usually quite easily guessable by anyone who knows even the tiniest bit of personal information.”

    I’ve never answered one of these “security” questions straight. My first pet’s name is always something like “oijf8938LKJd89qoidj*(Fokf”, and I store this info, securely, the same way I store my password.

    However, this is something people need to learn. My first password, in the mid-80s, was “password”. I thought I was so clever, until I stumbled across an article by a system administrator who found that 40% of her users used “password” as their password. That was the beginning of my education in online security.

    “Here oijf8938LKJd89qoidj*(Fokf! Sit oijf8938LKJd89qoidj*(Fokf! What a good boy!”

  18. elfspice says:

    there is a recent bruce schneier article about passwords. here’s my thoughts about this issue:

    1. brute force guessing of passwords that are not dictionary words is virtually impossible somewhere between 6 and 8 characters long (assuming alphanumeric that’s 8^36 permutations) within a reasonable amount of time and definitely not possible with a sensible lockout policy after a small number of failures.

    2. most of the time passwords are stolen by trojan keyloggers and the like, and social engineering attacks, which phishing is a more sophisticated form of.

    3. keyloggers can be got around by using onscreen clickable password input systems, very few trojan keyloggers can log mouse clicks and locations and a well designed input system can further obfuscate this by randomising the location of the keys.

    4. biggest problem with password security is websites that don’t use hashed and salted passwords generated user-side and transmitted thusly obfuscated. this opens users up to the risk of hackers harvesting user logins.

    my personal opinion on this topic is that there needs to be formed an international authority on online security which gathers, defines and certifies online security best practise. i nominate, for one, bruce schneier to sit on the board. and i am putting my hand up to vote for my country (australia) to join and adhere and enforce it’s policies (it’s a problem that needs to be addressed on all levels of the system, user and service provider side and within academia where programmers are taught networked application coding).

Leave a Reply