The lesson of the Twitter hack: Passwords are pitiful
Twitter’s advice this week to reset passwords after the latest attack on its users strikes me as not far off throwing a scuba mask at a shark. It works out that you are defenceless and just circles round to come back for a second and...
The new hack is worth paying attention to in all its lateral-thinking brilliance. Instead of trying to barge down the doors of Twitter, the hackers decided to exploit an obvious weakness of passwords that has nothing to with their length, complexity, or use of unusual characters. It turns out that people use the same passwords over and over for more than one site, or at least a large enough percentage do to make it an exploitable weakness.
How do you get these passwords in the first place? Simple, you set up sites to harvest or ‘skim’ this information from users. The favoured choice, and the one used for the Twitter hack, was a Torrent file-sharing site that asked for login registration. These sites are now all over the net, offering users a way of getting free content from behind paywalls for a range of content types including music, films, porn and TV shows.
The problem with Twitter’s approach is that even without the re-use weakness, logins and passwords are not that hard to guess or force hack. People don’t just re-use passwords, they choose dumb passwords. Login IDs are often just reused from part of the email address.
There are a number of possible solutions:
1. The lazy could create several logins to re-use, one for financial sites, one for sites with some sensitive data (addresses, full name, etc), and basic one for access-only sites.
2. Ideally start using an online password site (for example, the excellent LastPass) that stores passwords in encrypted form. These log the user in automatically from any PC. They are not a perfect solution because they can be mis-managed but they are better than using only one login over and over.
3. Use an offline password database app, again one that uses encrypted data. Old-fashioned but it works.
4. Invest in some form of third-party authentication system. This does depend on the site being accessed using such a technology.
The critical point of password storage sites is that they also make it possible to start using longer and more complex password/login combinations, ones that can resist brute forcing so there's a double layer of protection.
The best hacks are the ones that depend not on any technical insight or skill but on the ignorance, naivety or laziness of the ordinary user. The latest Twitter hack is a beautiful example.
My advice to protect yourself against the worst of Internet can throw at you? Take a degree in psychology and trust nobody, including big brands that let users in with trivial passwords.