Twitter users need a password change (as do we all)

Password is not an effective password.

A bug in Twitter’s internal operations means Twitter users get to come up with a brand new password. And if you’ve always wanted to know about strong passwords to secure you’re own, this is for you, too.

When companies mess up, they generally have an obligation to their user base to point it out and not keep them in the dark. And that’s what Twitter is doing this week, because if you use that social media service, you’re going to be asked to change your password.

Twitter’s Chief Technology Officer Parag Agrawal wrote a blog this week detailing that Twitter users should change their password this week, especially if they’ve been using that password on other services as well.

While passwords should be secured in a way that makes it so that no one else can see them, that hasn’t quite been the case inside of Twitter.

Typically, services that you register usernames and passwords for accounts should be encrypted, making them a little more airtight inside the service. The process is also known as hashing, and includes an algorithm to turn the password into a string of characters that is nonsensical, compared to the outright password you might be typing in.

Deciphering these hashed strings comes down to password cracking, something that takes a lot of time, compared to seeing the password and merely using it, matching it to a user and seeing what else it works with.

In 2018, we expect that all places where you register an account and have passwords at should be hashing passwords, or at the very least encrypting using some other method.

Twitter is reportedly doing that, however the company has highlighted a bug this week that allowed passwords to be written the way they were before the hash to an internal log before the hashing process was complete. That means that while Twitter was doing the right thing and encrypting your password, it was also doing the wrong thing and storing your passwords to plain text for anyone inside the company to read.

“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” wrote Agrawal in Twitter’s blog.

While it’s greater that Twitter found the bug, this bug also means anyone using Twitter may technically have that password compromised. It’s not necessarily going to happen, but as a precaution, Twitter is advising its users to change their password, and if they use that same password on other services, to change that password as well.

Password habits

One of the things you learn quickly about passwords is that we’re not great at them as a whole.

There are some perfectly great reasons for this, coming down to just how many services we’re all subscribed to and using — Gmail, Facebook, Twitter, LinkedIn, Uber, Menulog, Evernote, iCloud and the App Store, GitHub, and so on and so on — to how many passwords we want to remember.

The simple reality is that with everything else we have in our lives, remembering a lot of passwords isn’t easy, and unless you’re using a password app or are storing your passwords somewhere secure that only you know about, there’s a good chance you’re using the same passwords across the board.

Frustratingly, that means if you’re using the same password for Twitter that you were for Facebook, you need to change both, and do it ASAP.

Most (if not all) security experts will recommend having a different password for every service to minimise the chances of security breaches, and this falls under that area.

While not everyone will take this approach, those that do should find themselves with better security across the board.

What’s a strong password?

Strong passwords are the name of the game, and it’s not just “password” or “password123”.

Unbelievably in this day and age, these passwords still persist and are in use by people, and passwords like “123456”, “password”, and “12345678” topped the list in last year’s list of the worst 100 passwords online, published by annually by Splash Data.

If you’re using one of these passwords, stop immediately and change it ASAP.

Instead, consider using a strong password, because simple passwords like these can be easily guessed or broken.

Consider a strong password made up of either a word or phrase, with numbers you can recognise, and some punctuation characters that help to bolster the security.

A common approach is to use a phrase you’d associate with the service in question. Since we’re talking about Twitter, you might think of “talking to friends”. Take that phrase and replace characters with numbers and punctuation so that it renders as “talking!t0!friends” or “TalkingT0Friend$!”.

The longer the password the better, so make sure it’s longer than eight characters and includes at least one number and one piece of punctuation, and if you can a capital letter as well. The stronger the character set is, the harder it is to break.

How can you manage secure passwords for every service?

Having one secure password is great, but how do you keep several secure passwords across several services?

While there are password apps like LastPass that can help, one trick we’ve heard over the years has been to make a variant of a strong password for each network you need to log in at.

If you’re happy with the way your strong and secure password has turned out and you’d prefer to use it or something like it for every service, don’t just reuse that password, modify it for that service.

Let’s take one of those passwords from before, “TalkingT0Friend$!”. If we’re happy with that as a password we can use for everything, but know there’s a risk it could be broken, consider personalising it for a service. For instance, it might be “TalkingT0Friend$!”, but you can add a few letters to make it different for services.

For Facebook, we might add “Face” to the end, and it becomes “TalkingT0Friend$!Face”, or if we’re personalising it for Gmail, we might add “Gm” and turn it to “TalkingT0Friend$!Gm”. You might even consider adding a few more numbers like your favourite number and another form of punctuation to the package, so our Facebook password becomes “TalkingT0Friend$!Face007?”.

Ultimately, your password should be secure enough so that it’s hard to break, but also possible for you to remember it. If you can’t and it becomes too difficult to manage passwords, consider grabbing a password app or service for your phone and/or computer, as that can help long term, as well.