Sometimes it feels like it’s another day, another security failure. It’s just that this time it’s Twitter and it involves 330 million users.
Given how many Twitter accounts are used to authenticate users on other sites and that Twitter is, in the case of many businesses and individuals, tied up with their very identity, the damage which can done by someone taking that away from you hardly bears thinking about.
Even if you’re not personally a user, if your business has an account or even if your staff use theirs on your devices, you should be on top of this. Twitter can be used to authenticate on other services too – and people do have a tendency to re-use passwords, maybe even the ones for your systems.
IT security specialists the world over are sat at their desks with gaping jaws at the revelation by the social media behemoth that it was storing passwords in a plain text log file. That’s why you need to change yours now.
If anyone has got hold of that file, they have all they need to take control of your Twitter account – and they don’t need to do any password cracking, social engineering or phishing to do it.
The proper, secure practice is to encrypt passwords before storing them and, in the process, put them through other measures which make them an awful lot harder to crack. No password is 100 per cent safe, but the best defence is to ensure attackers would have to spend years worth of computing resources on each one they want to unencrypt. That makes it a far less worthwhile exercise for them.
We’ve talked about passwords many times in these pages, but it’s really important to stress that they are just one part of your security – they are not the whole answer and you should never rely on them entirely.
Make a change
Just like a police officer will tell you about securing your home, IT safety is about layers. You make it really hard for someone to break through, with the overall aim that it’s so hard they won’t even bother and will move onto someone who hasn’t been as diligent as you.
It doesn’t have to be a major hassle to start adding those layers. We could all do with a password manager, because there’s no way a normal human can come up with genuinely secure passwords and then remember them all!
So use a piece of software that locks them away for you and then you just remember the one good, strong password that locks vault.
The next layer is two-factor or multi-factor authentication. Again, not hard to do. Most services now give you the option to turn this on (Microsoft, Google, Facebook, Twitter, etc, all do it). It means that when you log in they will send you a one-time code by text message or you can look at an app on your phone to get one. You can’t log in without it, which means that unless an attacker has your phone and your login details, they are an awful lot further away from being able to break in.
There’s more that can be done too, but if everyone started using a password manager and another layer of authentication (plus not re-using the same password for everything and never using the name of their child/dog/husband/wife for that password!) we would all be a lot safer.
Everyone has to deal with the consequences of this latest breach. Twitter has serious egg on its face today. Don’t be next!