Twitter has revealed that a bug in its system resulted in some passwords being stored in a login clear text,
Twitter has revealed that a bug in its system resulted in some passwords being stored in a log in clear text, underlying the need for alternative authentication methods.
The company told users: “We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.”
Twitter has not revealed how many passwords were affected, but according to the BBC, the number is understood to be “substantial” and that they were exposed for “several months”.
Although there is no known breach, this has again underlined the importance of organisations following best practices and the real need for alternative authentication method to passwords.
Industry commentators say Twitter should not simply give users the option of enabling two-factor authentication, but should enable it as the default.
Ambuj Kumar, co-founder and CEO of Fortanix, says although making passwords making the bcrypt hashing function is laudable, Twitter did not follow best practices.
He said: “As a result, passwords got written in plaintext log files, exposing them to anyone who had access to the log files.
“Many organisations use backup systems and create various copies of the same files on multiple hard drives and systems, so the question remains as to whether Twitter removed all the copies from all the systems, or is there a copy on some internal system that will show up many years from now when people may have forgotten about this incident?”
Kumar added that the security industry should set higher standards for securing sensitive information such as passwords.
Technical director at the National Cyber Security Centre (NCSC) Ian Levy, has named identity and authentication as among the top areas that cybersecurity innovators should seek to tackle.
He told Computer Weekly: “We have got to get rid of passwords,” Levy told Computer Weekly. “They don’t work and they don’t do what people think they do. They don’t work for people, let alone security. We need better ways of authenticating.”
Heather Howland, Vice President of Marketing at Preempt, said the Twitter password bug highlights a need for IT security teams to be able to proactively find weak passwords.
“Employees often re-use passwords for both personal and business use,” she said. “Forcing regular password changes for everyone has become ineffective, so finding better ways to identify the weak passwords in real time and enforcing contextual password updates when they are actually needed will be more effective.”Return to internet news headlines
View Internet News Archive