Twitter has advised its users to change their passwords after discovering that a systems flaw had resulted in some passwords being written to an internal log before the encryption process was complete.
“We recently identified a bug that stored passwords unmasked in an internal log,” the company told users. “We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.”
Twitter has not revealed how many passwords were affected, but according to the BBC, the number is understood to be “substantial” and that they were exposed for “several months”.
Twitter also reportedly discovered the bug a few weeks ago and has reported it to some regulators before deciding to go public and warn users.
Although there is no known breach, this has again underlined the importance of organisations following best practices and the real need for an alternative authentication method to passwords.
At the very least, industry commentators say Twitter should not simply give users the option of enabling two-factor authentication (2FA), but should enable it as the default.
Although masking passwords using the bcrypt hashing function is laudable, Twitter did not follow best practices, said Ambuj Kumar, co-founder and CEO of Fortanix.
“As a result, passwords got written in plaintext log files, exposing them to anyone who had access to the log files,” he said.
Although Twitter claims it has removed the passwords and is implementing plans to prevent the bug from happening again, Kumar said there is no guarantee, and so users should follow Twitter’s advice to change their passwords on Twitter and anywhere else they have used the same password.
“Many organisations use backup systems and create various copies of the same files on multiple hard drives and systems, so the question remains as to whether Twitter removed all the copies from all the systems, or is there a copy on some internal system that will show up many years from now when people may have forgotten about this incident?” he said.
The security industry as a whole should set higher standards for securing sensitive information such as passwords, Kumar added.
UK National Cyber Security Centre (NCSC) technical director Ian Levy has named identity and authentication as among the top areas that cyber security innovators should seek to tackle.
“We have got to get rid of passwords,” Levy told Computer Weekly. “They don’t work and they don’t do what people think they do. They don’t work for people, let alone security. We need better ways of authenticating.”
Mike Banic, vice-president of marketing at Vectra, said Twitter is one of many web-based and mobile applications that do not require two-factor authentication as the default, even though Twitter users can enable 2FA by changing the default setting.
He said the importance of 2FA is shown by the fact that the breach of data from the US Office of Personnel Management started with the cyber attackers using stolen credentials to pose as a legitimate employee of an OPM contractor performing background investigations.
Heather Howland, vice-president of marketing at Preempt, said the Twitter password bug highlights a need for IT security teams to be able to proactively find weak passwords.
“Employees often re-use passwords for both personal and business use,” she said. “Forcing regular password changes for everyone has become ineffective, so finding better ways to identify the weak passwords in real time and enforcing contextual password updates when they are actually needed will be more effective.”
Ryan Wilk, vice-president of customer success at NuData Security, a Mastercard company, said it is time for organisations to move beyond the vulnerabilities of the least reliable of all the security measures they can take, and adopt a layered defence approach incorporating highly trusted forms of authentication.
“Passwords are static information that can be easily re-used by would-be thieves, and experts advise that it is no longer a question of if but when an organisation’s or individual’s passwords are going to be stolen, especially now that we’ve entered the age of mega-breaches.
Static passwords unreliable
“Unfortunately, too many people still don’t understand just how unreliable static passwords are as an effective security mechanism. In fact, many continue to re-use their usernames and passwords across many sites, even going so far as to re-use their employee usernames with accounts opened for personal use. As a result, when one account gets hacked, all of their accounts are left vulnerable, along with their employer’s valuable information.”
Wilk added: “The use of passwords to control account access is more a quaint artifact of a simpler era than an effective security measure. Static passwords are easily stolen and re-used, leaving the user and organisation vulnerable to account takeovers and theft.”
According to Wilk, organisations should be implementing passive biometrics and behavioural analytics that use the uniqueness of user interactions with devices and services to build a digital identity profile, enabling organisations to ensure the user is who they say they are – and not a fraudster using a stolen password.
Michael Magrath, director of global regulations and standards at VASCO Data Security, said organisations’ reliance on a single shared secret to protect sensitive personal identifiable information (PII) has been very lucrative for hackers.
“While no security solution is 100% secure, in 2018, organisations not deploying risked-based authentication system are hoping they can dance between the raindrops, yet most consumer-facing websites today do not offer any alternatives to username, password and a narrow set of challenge questions that can often be answered with Facebook searches,” he said.
But that may be changing, said Magrath. “The Fido Alliance and the World Wide Web Consortium (W3C) recently announced FIDO’s Web Authentication (WebAuthn) protocol to the Candidate Recommendation (CR) stage – a precursor to final approval of a web standard,” he said. “The W3C has invited online services and web app developers to implement WebAuthn – and Google, Microsoft and Mozilla have all pledged support.”
According to Magrath, WebAuthn can also support various biometric logins, including face and voice recognition, fingerprints and iris scanning.
“It enables users to register non-password biometric or second-device authentication methods with the service, thus replacing the password,” he said.
“Passwords are likely to be used for eternity in some shape or form, but the computer password as we know it may be on life support. Its time has clearly come and gone.”
Twitter has published these tips on account security:
Change your password on Twitter and on any other service where you may have used the same password.
Use a strong password that you don’t reuse on other services.
Enable login verification, also known as two-factor authentication. This is the single best action you can take to increase your account security.
Use a password manager to make sure you are using strong, unique passwords everywhere.