There's a new corporate security problem: Twitter announced that all its users -- more than 330 million -- need to change their passwords. Like, right now.
It gets old. Whether it was hackers getting 6 million LinkedIn passwords in 2012, last year's Equifax security breach, or the SunTrust data theft by an employee this year, the problems keep coming, year in and year out. And that doesn't even include the Facebook/Cambridge Analytica fiasco.
Twitter today announced that a bug allowed the storage of clear text passwords in an internal log, rather than ensuring they were encrypted. Here is the explanation that pops up when you log in:
When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.
Out of an abundance of caution, we ask that you consider changing your password on all services where you've used this password.
An abundance of caution? Maybe. But consider that, as with SunTrust, there are circumstances in which current or former employees might steal data to sell. Or maybe someone had broken into a company's networks and was on the look for data to grab.
One person's abundance of caution is another's reasonable prudence. Currently, prudence includes recognition that because you cannot trust every company to adequately protect your data, you cannot trust any company to do so. It doesn't matter what the reason might be or how quickly a company found it. (Twitter said that it discovered the bug "recently," whatever that means.) All you need to know is that someone is going to screw up and your data will be at risk.
You've probably heard all these suggestions before, but it's time to look at them again.
- Use strong passwords. Don't try something clever like substituting numbers for letters (like a 3 instead of an e) or employing funny spelling. Expert digital criminals are far more clever than you and have seen all of this so many times that they use password hacking applications to automate the process. Use long passwords -- mine typically run 20 to 30 characters unless I'm forced to use fewer -- and include random collections of upper- and lower-case letters, numbers, and symbols.
- Don't reuse passwords. Choose a new one for every site and application. Yes, it's a pain. I promise that it will be a bigger pain if someone gets one of your passwords and then reuses it at other sites.
- Use a password safe. A cloud-based one can give you access wherever you go. (But be sure to use a really tough password for it.)
- Use two-factor authorization that will require you to take an action on your phone. You can typically set a browser to be recognized by a web service so you don't go through it every time. Still somewhat annoying, but important.
- Also avoid using the same security questions and answers on multiple sites. If someone can find your mother's maiden name on one site, otherwise can use it on another.