On Thursday, Twitter chief technology officer Parag Agrawal disclosed in a blog post that the company had inadvertently recorded user passwords, in plaintext, in an internal system. This is not how things are supposed to go! And while Twitter has fixed the bug, and doesn’t think any of the exposed passwords were accessed in any way, you should still change your Twitter password right now to make sure your account is secure.
“It’s a bad thing and Twitter should be held to the fire for it,” says David Kennedy, CEO of the penetration testing firm TrustedSec. “But they are taking the right steps by requesting everyone change their password and making the bug public versus hiding it.”
Twitter has begun notifying both mobile and desktop users to change their passwords, but several people have reported errors and lags, presumably because everyone is trying to make account changes at once (which is good!).
Companies generally protect user passwords by scrambling them in a cryptographic process known as hashing. As Agrawal explained, Twitter does this, too, using a well-regarded hash function called bcrypt. But a bug caused Twitter to accidentally store passwords unprotected in some type of internal log before its password management system finished hashing them. The system would then complete the hash, and everything would look fine, even though the passwords were readable in the log. While it’s great that Twitter eventually realized…
Latest posts by Peter Bordes (see all)
- The Joy Of Properly Designed Embedded Systems - March 20, 2019
- Facebook Halts Ad Targeting Cited in Bias Complaints - March 20, 2019
- How to be a better boss, according to Google - March 20, 2019
More from Around the Web