Whether serendipitous or ironic, Global Password Day found Twitter advising users to change their passwords after a bug in its password storage system “unmasked” the passwords in an internal log.
“We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone,” Twitter CTO Parag Agrawal wrote in a blog post. “Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.”
The Twitter issue is not so much a bug, though, said Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, but rather “pretty bad oversight.”
Agrawal recommended using a strong password unique to a user’s Twitter login as well as two-factor authentication.
“Twitter is one of many web-based and mobile applications that do not require dual-factor authentication as the default,” said Mike Banic, Vice President of Marketing at Vectra. The breach of data from the Office of Personnel Management (OPM), for example, started with the cyberattackers using stolen credentials to pose as a legitimate employee of an OPM contractor performing background investigations, Keypoint Government Solutions, and the stolen credentials did not require two-factor authentication.”
But “passwords are only part of a much bigger problem: how our information is stored. Passwords, usernames and payments credentials (what hackers want) are often stored on one central database, creating a single point of failure – a hacker’s favorite target,” said George Avetisov, CEO of HYPR. “When a data breach occurs, a hacker that obtains these credentials from one company (say, Panera ) can also access other accounts using the same credentials, even if those companies have not been hacked (say, Macy’s).”
Ensuring that user passwords are encrypted with strong encryption algorithm “is a 101 basics for cybersecurity,” said Yampolskiy. “The big danger of keeping cleartext passwords, is that any one employee with access to a database can remember these passwords. Users very often reuse passwords on other sites, like Gmail, Yahoo, online banking- so knowing a user’s cleartext passwords could allow you access to other sensitive info.”