What Twitter tells us about passwords
Enrique Dans
Senior Advisor for Innovation and Digital Transformation at IE University. Changing education to change the world...
On Thursday last, precisely on World Password Day, Twitter sent out a tweet, an email and even an entry on the corporate blog of its CTO, Parag Agrawal, recommending its 330 million users to change the password for the service after a bug was discovered in its system that stored passwords in plain text.
Rather than storing user passwords in a form that cannot be read, passwords on Twitter are masked through a process called hashing, which replaces the actual password with a random set of numbers and letters that are stored in the company’s system.
The company insists passwords have not been accessed or copied, but the existence of a bug that stores passwords in a file in plain text is a stunning failure of the most basic security practices.
Comments in response to Twitter’s error give an idea of how disastrous security is on the social networks generally, but the first thing we need to understand is that this is standard practice in the industry, and that’s without getting into the issue of what a secure password should look like because, in reality, today, the only secure password is one you or nobody else has never seen. Hashing functions like bcrypt, are used by Twitter and by many others for this reason.
What the Twitter incident tells us is that we need to forget all our passwords and ignore Nutella’s irresponsible suggestion to use a word that’s “in your heart”. No, no, no: passwords should not be able to be memorized by you, or even by a well trained Russian spy. Forget everything you thought you knew about creating passwords and instead put the matter in the hands of a good password manager. I’m reasonably happy with LastPass, but there are others, like 1Password, NoMorePass or others. Using them requires some discipline, but makes total sense: I could not give my passwords away even under torture… because I don’t know them and do not want to know them. All my passwords are unintelligible sequences of characters that mix uppercase and lowercase letters, numbers and signs, and that I could never memorize, not only because it would be unsafe to do so, but also because I have better things to use my memory for.
Sure, LastPass has been hacked several times, because that’s what hackers do, but anybody who accesses such a system will simply find a list of passwords for the sites you visit, but they’re encrypted, so they’re no use to anybody, and what’s more, in the event of a breach, you don’t have to change them. And if there were a problem, there is 2FA, multi-factor authentication, which I would recommend for really important services.
This isn’t paranoia, it’s common sense. If you’re still using passwords you can remember, you’re an accident waiting to happen. If there are people where you work who have a post-it with “Password: 123456” on their screen, have a word with them, because they are a potential source of expensive security problems. Let’s stop using the internet as though we were still living in the last century, shall we?
(En espa?ol, aquí)
Gerente | PROMOTV Digital Signage - Gerente | RUIZGALLARDO Consultores
6 年Hola Enrique Dans, he leído tu artículo y me parece interesante, aunque quizás inexacto en algunas apreciaciones técnicas. Al utilizar una función HASH sobre una contrase?a, se obtiene otra cadena resumen de caracteres alfanuméricos. Por dise?o, el proceso matemático de cálculo no puede ser revertido. Además, cambiando un carácter en la entrada de datos se producirá otra cadena resumen diferente: https://es.wikipedia.org/wiki/Funci%C3%B3n_hash BCRYPT es una función HASH concreta que se diferencia de los demás en el coste de proceso. La función necesita más cálculos para obtener un resultado: https://en.wikipedia.org/wiki/Bcrypt Debido a esta característica de BCRYPT, *comprobar* por *fuerza bruta* una contrase?a implica muchísimo tiempo de proceso. Con la tecnología actual hablamos de millones de a?os si no se conoce la longitud de la contrase?a original: https://es.wikipedia.org/wiki/Ataque_de_fuerza_bruta Es imposible obtener la contrase?a original sabiendo la cadena resumen HASH. Twitter ha comunicado (textualmente) : "Recientemente, descubrimos un error que guardaba las contrase?as no ocultas en un registro interno." Lo que implica un fallo de seguridad crítico, de novato y que merecería hasta algún despido procedente.