What Twitter tells us about passwords

On Thursday last, precisely on World Password Day, Twitter sent out a tweet, an email and even an entry on the corporate blog of its CTO, Parag Agrawal, recommending its 330 million users to change the password for the service after a bug was discovered in its system that stored passwords in plain text.

Rather than storing user passwords in a form that cannot be read, passwords on Twitter are masked through a process called hashing, which replaces the actual password with a random set of numbers and letters that are stored in the company’s system.

The company insists passwords have not been accessed or copied, but the existence of a bug that stores passwords in a file in plain text is a stunning failure of the most basic security practices.

Comments in response to Twitter’s error give an idea of how disastrous security is on the social networks generally, but the first thing we need to understand is that this is standard practice in the industry, and that’s without getting into the issue of what a secure password should look like because, in reality, today, the only secure password is one you or nobody else has never seen. Hashing functions like bcrypt, are used by Twitter and by many others for this reason.

What the Twitter incident tells us is that we need to forget all our passwords and ignore Nutella’s irresponsible suggestion to use a word that’s “in your heart”. No, no, no: passwords should not be able to be memorized by you, or even by a well trained Russian spy. Forget everything you thought you knew about creating passwords and instead put the matter in the hands of a good password manager. I’m reasonably happy with LastPass, but there are others, like 1Password, NoMorePass or others. Using them requires some discipline, but makes total sense: I could not give my passwords away even under torture… because I don’t know them and do not want to know them. All my passwords are unintelligible sequences of characters that mix uppercase and lowercase letters, numbers and signs, and that I could never memorize, not only because it would be unsafe to do so, but also because I have better things to use my memory for.

Sure, LastPass has been hacked several times, because that’s what hackers do, but anybody who accesses such a system will simply find a list of passwords for the sites you visit, but they’re encrypted, so they’re no use to anybody, and what’s more, in the event of a breach, you don’t have to change them. And if there were a problem, there is 2FA, multi-factor authentication, which I would recommend for really important services.

This isn’t paranoia, it’s common sense. If you’re still using passwords you can remember, you’re an accident waiting to happen. If there are people where you work who have a post-it with “Password: 123456” on their screen, have a word with them, because they are a potential source of expensive security problems. Let’s stop using the internet as though we were still living in the last century, shall we?

(En espa?ol, aquí)