back to article Twitter: No big deal, but everyone needs to change their password

Twitter is ringing in World Password Day by notifying its users, all 330 million of them, that their login credentials were left unencrypted in an internal log file and should be changed. Chief technology officer Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored …

What, did they use the same code as Github? https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/

5
0
Silver badge

"What, did they use the same code as Github?"

Once is an accident, twice is coincidence. If there's a third then we definitely need to start asking questions because it would suggest that there's a problem in some common piece of platform code.

5
1
Anonymous Coward

FTFY

"... that there's a problem in some common piece of platform coder."

7
0
Silver badge
Facepalm

Re: FTFY

"This string is a password, right, and we have to be really careful with them. We salt and encrypt them and store them in a protected file. Ooh, look, a new iPhone is out. So, to be sure our code is working, we'll log all keystrokes for debugging purposes. Don't forget to... Wow, retina display, 10Mp camera... "

33
1
Silver badge

Re: FTFY

"platform coder."

Could we both be thinking of the same code and the same coder?

3
1
Silver badge

Once is an accident, twice is coincidence.

My father's version: "Once is happenstance, twice is coincidence, three times is a conspiracy."

3
0
Silver badge

Plain texte passwords = n00bs, no ifs, buts, or maybes. You on twatter? Delete your account.

3
4
Anonymous Coward

Really the same bug?

Is it a reasonable assumption? Or are we left to make it in the hope there's no further questions?

The github bug was relatively short-lived but the Twitter bug blog post says nothing about the time-frame and tells everyone to change their passwords (and add an extra phone-pinging to their logging-in, a monetisable opportunity made promotable by this crisis).

Conspiracies aside, until we see confirmation we should not take it as given that it is the same bug just because they happen to use the same function somewhere in the chain that might have no relevance to it.

1
0
Bronze badge

I think its fairly common to send "plaintext" over ssl and hash and compare to stored hash during auth.

What would you recommend?

0
0

Sure, it’s bad, but as a developer I still feel a twinge of sympathy. At least they admitted it and said sorry. I’m sure a lot of companies would, and have, kept something like this quiet.

Now excuse me while I go change my password...

32
0
Silver badge

Indeed, Twitter is apparently upfront about the issue and that is something that must be commended.

The fact that it is an internal gaffe and (allegedly) no data was actually leaked is a Good Thing (TM). The fact that Twitter still came out with the issue, and the possible hit to its reputation, marks a company that is definitely not like many others.

So good on Twitter for doing the Right Thing (TM).

I'm still not getting a Twitter account, though.

40
1

What's twitter? All intelligence requires more than 140 characters to explain anything. This comment, that has now reached 141 characters!!!

5
9

This is a good example of the new GDPR guideliness.

They didnt do this out of a misplaced sense of honour, they did it because they are obligated to report any infractions within 72 hours that could lead someone (even in house) to figuring out a persons identity.

Take the facebook employee recently sacked off for e-stalking women, he'd get access to their data then track them down through Tinder and other means.

Logging in to twitter gives location information, pictures, biographical info.

11
1
Mat

You'll be fine then - they've upped it to 280 I think...

9
0
Anonymous Coward

> Indeed, Twitter is apparently upfront about the issue and that is something that must be commended.

I read that as "something that must be condemned" and I thought "he must be in management". :-/

3
0
Anonymous Coward

So what really prompted them to be so upfront about it?

0
0
Silver badge

Pascal, I am the downvoter Because plaintext passwords is n00b, no dicking around, it should not have been possible, plain, simple, and if it is, n00bs!

They can pay all users €100, still, it is n00b!

1
3
Silver badge

For heaven's sake, they're not using plaintext passwords - by design they hash them, but in this case their hashing procedure failed. It's all in the article.

2
0
Anonymous Coward

So there is no hashing in a hashtag,

8
0
Silver badge

But if it will help, there's potatoes in hash. And then there's hash for smoking...

1
0
Anonymous Coward

is "#Passw0rd" a strong password (contains upper and lower case, number and a special character)

9
0
Silver badge

feh

P@55w0rD is so much more secure. It's got _three_ numbers and _two_ capitals, it _must_ be secure.

10
1
Anonymous Coward

I use wrongequinesolarnail

20
0
Windows

Re: feh

My password is "correcthorsebatterystaple" because I read somewhere it has more entropy or something.

14
1
Silver badge

Re: feh

@Shoot Them Later: +1 for xkcd reference

4
2
Silver badge
Gimp

Hmmm...

I wonder if His Orangeness has changed his password yet...

Actually, no matter what I tweeted if I were tweet in his name, no-one would notice. Unless it was to announce that he, Vlad, Stormy, and Vlad's pony were all married in a small but tasteful ceremony in St. Petersburg.

14
2
Silver badge

Re: Hmmm...

Yeah, ‘tasteful’ would set off most BS detectors...

12
1
Silver badge

Industry Standard

"...This is an industry standard," Agrawal said of the non-functioning security feature.

1: If this was an intentional joke from The Reg, it's freaking genius, because 2: I suspect its mostly true.

15
0
Boffin

Re: Industry Standard

And note what else they have told us in the reassurances!

e.g. no indications of anyone outside the company being able to even view the file tells us nothing:

- as there was no indication of the logfile accidentally saving all these passwords completely by accident in the first place

- it could have been accessed by anyone inside the company any number of times

- how do they know, was access to the newly-discovered unknown file being logged somewhere?

3
6
Unhappy

Re: Industry Standard

Talk about misjudged comments, looks like I offended the Twitter PR department!

But on the bright side, a valuable learning experience for me, at no cost...

2
1
Alert

Phone Number Grab Coming?

I think Jack is just going to use the opportunity to make you give him your phone number. Do you trust his civil war calling ass with your phone number? I don't.

5
0
Stop

I had a Twitter account once

Occasionally I get the urge to comment on articles that use twitter for the purpose, and try to create a new account. but I always get the:~ "There is a problem with your account" banner and when I try to verify my account they demand my mobile phone number.

Don't need two factor there.

Some little social tool like Twitter is not important enough for that piece of information.

so account creation fails.

13
0
Anonymous Coward

Re: I had a Twitter account once

So does Facebook. It let's you to create a new account without a phone number. But it forces you to add a phone number to login in on the second day. It basically holds your profile in hostage until you add your phone number. You can't continue without giving away your number.

A very shady UI pattern that should be regulated by the US, UK and EU laws maker.

Though old accounts are differently handled, a 2006 account just shows a nag screen that has to be clicked away every fucking time.

0
0

Twitter bad!!

You know they want to know everything about us. That password is just one of the things they know. They don't care about our happiness. Only your deepest secrets will be mined and sold.

1
0

I hope bcrypt does not replace the actual password with "a random set of numbers and letters"!

25
0
Silver badge

I assume Parag Agrawal was making an entry for the Most Inaccurate and Confusing Technical Explanation Award.

2
0
Silver badge
Facepalm

At least...

... Twitter fessed up quickly. Unlike some other orgs!

2
1
Anonymous Coward

Ever Heard of Code Review, Coding Standards?

This is exactly the kind of foul up that can be found in code reviews. How about a simple source code search for the uses of variables with 'password' in the name? Uses in lines of code that also have the word 'log' in them ought to be worrisome.

Typical of today's coding ethos; write crap code, get away with it coz everyone else is writing crap code too. It's cheaper to apologise later than to do the job properly.

3
6
Anonymous Coward

Re: Ever Heard of Code Review, Coding Standards?

Yeah, I've heard of them. Ever heard "Just fucking do it"?

10
0
Silver badge

Re: Ever Heard of Code Review, Coding Standards?

Typical of today's coding ethos; write crap code, get away with it coz everyone else is writing crap code too.

I thought these days it's more a case of cut and paste crap code from StackExchange.

10
0
Silver badge
Devil

Stopped using Twitter a while ago

I mean, even the President of the United States Twitter account has been hacked by an absolute moron. The guy who runs the account is clearly demented, so what's the point?

Sad.

22
0
J27

This is honestly ridiculous, this is one of the easiest things to do properly. It's a shame the public has such a low level of knowledge of basic programming techniques, because if they knew anything about this they're realize that this is like handing their personal information over to the Bozo the Clown of the web.

This is the sort of mistake that would cause a first year comp-sci student to fail an assignment, not the sort of thing you expect to see in a multi-million dollar corporation's flagship product.

6
4
Silver badge
Facepalm

"sorry"

Ah, there's that word "sorry" again, issued after another cockup. "Sorry", it's the emotional Lira/Drachma of life, utterly worthless in real terms and losing value with each and every use.

8
0
Bronze badge
Trollface

(as a best practice you shouldn't be reusing passwords anyway)

I used to rail against the stupidity of this kind of statement. Over the years I have literally collected hundreds of registrations to different websites, services, etc. How can anyone sanely expect everyone in the world to be able to REMEMBER that many unique passwords?

But recently, I realized just how easy it actually is! The trick is not to generate that many fully unique passwords. Generate one part that you remember, and one unique part provided by the service. For example:

Twitter5ucks!

Github5ucks!

Facebook5ucks!

Apple5ucks!

Google5ucks!

With this simple technique you can have a safe (assuming they stored your password correctly) and unique password for every single one of your hundreds of accounts.

My only problem was at El Reg, where I had to actually invent a new password, because they don't suck. One out of hundreds. Not so bad.

14
1

Re: (as a best practice you shouldn't be reusing passwords anyway)

That's a good idea if your password is never stored in plain text, but it falls over pretty quickly otherwise. Let's see if I can guess your password for pr0nhub.... um.... Pr0nhub5ucks! ??

5
0

Re: (as a best practice you shouldn't be reusing passwords anyway)

For El Reg, move the ! to the front of the password.

4
0
Silver badge
Joke

Re: (as a best practice you shouldn't be reusing passwords anyway)

>For El Reg, move the ! to the front of the password.

Yahoo! That's! good!

1
0
Silver badge
Trollface

Re: (as a best practice you shouldn't be reusing passwords anyway)

Nope P0rnHub!Blows!

2
0

So all websites store your plaintext passwords for batch-hashing later on?

I’d always naively thought that passwords are hashed at moment of creation, leaving no opportunity for them to be stored on a website or database unhashed. I thought that hashing & salting was a one-way process and the result is only usable for matching. Where was my naive assumption wrong?

Or: Due to a coding bug, a logfile was being written in plaintext of all passwords being created. And this logfile had been left running for years and years, long enough to acquire millions of plaintext passwords? Colour me skeptical.

3
1
Silver badge

Re: So all websites store your plaintext passwords for batch-hashing later on?

The hashing runs on the server. You have to pass the password to the server for hashing. The alternative is to trust all the external devices to hash for you. You can't trust all the external devices.

That's about the size of it, afaik.

7
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018