back to article Twitter: No big deal, but everyone needs to change their password

Twitter is ringing in World Password Day by notifying its users, all 330 million of them, that their login credentials were left unencrypted in an internal log file and should be changed. Chief technology officer Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored …

Page:

  1. Jim Mitchell

    What, did they use the same code as Github? https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/

    1. Doctor Syntax Silver badge

      "What, did they use the same code as Github?"

      Once is an accident, twice is coincidence. If there's a third then we definitely need to start asking questions because it would suggest that there's a problem in some common piece of platform code.

      1. Anonymous Coward
        Anonymous Coward

        FTFY

        "... that there's a problem in some common piece of platform coder."

        1. tfewster
          Facepalm

          Re: FTFY

          "This string is a password, right, and we have to be really careful with them. We salt and encrypt them and store them in a protected file. Ooh, look, a new iPhone is out. So, to be sure our code is working, we'll log all keystrokes for debugging purposes. Don't forget to... Wow, retina display, 10Mp camera... "

        2. Doctor Syntax Silver badge

          Re: FTFY

          "platform coder."

          Could we both be thinking of the same code and the same coder?

      2. Steve the Cynic

        Once is an accident, twice is coincidence.

        My father's version: "Once is happenstance, twice is coincidence, three times is a conspiracy."

      3. Hans 1

        Plain texte passwords = n00bs, no ifs, buts, or maybes. You on twatter? Delete your account.

        1. teknopaul

          I think its fairly common to send "plaintext" over ssl and hash and compare to stored hash during auth.

          What would you recommend?

    2. Anonymous Coward
      Anonymous Coward

      Really the same bug?

      Is it a reasonable assumption? Or are we left to make it in the hope there's no further questions?

      The github bug was relatively short-lived but the Twitter bug blog post says nothing about the time-frame and tells everyone to change their passwords (and add an extra phone-pinging to their logging-in, a monetisable opportunity made promotable by this crisis).

      Conspiracies aside, until we see confirmation we should not take it as given that it is the same bug just because they happen to use the same function somewhere in the chain that might have no relevance to it.

  2. Andy Mac

    Sure, it’s bad, but as a developer I still feel a twinge of sympathy. At least they admitted it and said sorry. I’m sure a lot of companies would, and have, kept something like this quiet.

    Now excuse me while I go change my password...

    1. Pascal Monett Silver badge

      Indeed, Twitter is apparently upfront about the issue and that is something that must be commended.

      The fact that it is an internal gaffe and (allegedly) no data was actually leaked is a Good Thing (TM). The fact that Twitter still came out with the issue, and the possible hit to its reputation, marks a company that is definitely not like many others.

      So good on Twitter for doing the Right Thing (TM).

      I'm still not getting a Twitter account, though.

      1. Anonymous Coward
        Anonymous Coward

        > Indeed, Twitter is apparently upfront about the issue and that is something that must be commended.

        I read that as "something that must be condemned" and I thought "he must be in management". :-/

      2. Anonymous Coward
        Anonymous Coward

        So what really prompted them to be so upfront about it?

      3. Hans 1

        Pascal, I am the downvoter Because plaintext passwords is n00b, no dicking around, it should not have been possible, plain, simple, and if it is, n00bs!

        They can pay all users €100, still, it is n00b!

        1. Anonymous Coward
          Anonymous Coward

          For heaven's sake, they're not using plaintext passwords - by design they hash them, but in this case their hashing procedure failed. It's all in the article.

    2. vistisen

      What's twitter? All intelligence requires more than 140 characters to explain anything. This comment, that has now reached 141 characters!!!

      1. Mat

        You'll be fine then - they've upped it to 280 I think...

    3. Sheepykins

      This is a good example of the new GDPR guideliness.

      They didnt do this out of a misplaced sense of honour, they did it because they are obligated to report any infractions within 72 hours that could lead someone (even in house) to figuring out a persons identity.

      Take the facebook employee recently sacked off for e-stalking women, he'd get access to their data then track them down through Tinder and other means.

      Logging in to twitter gives location information, pictures, biographical info.

  3. Anonymous Coward
    Anonymous Coward

    So there is no hashing in a hashtag,

    1. Mark 85

      But if it will help, there's potatoes in hash. And then there's hash for smoking...

  4. Anonymous Coward
    Anonymous Coward

    is "#Passw0rd" a strong password (contains upper and lower case, number and a special character)

    1. James O'Shea

      feh

      P@55w0rD is so much more secure. It's got _three_ numbers and _two_ capitals, it _must_ be secure.

      1. Shoot Them Later
        Windows

        Re: feh

        My password is "correcthorsebatterystaple" because I read somewhere it has more entropy or something.

        1. Chairman of the Bored

          Re: feh

          @Shoot Them Later: +1 for xkcd reference

    2. Anonymous Coward
      Anonymous Coward

      I use wrongequinesolarnail

  5. James O'Shea
    Gimp

    Hmmm...

    I wonder if His Orangeness has changed his password yet...

    Actually, no matter what I tweeted if I were tweet in his name, no-one would notice. Unless it was to announce that he, Vlad, Stormy, and Vlad's pony were all married in a small but tasteful ceremony in St. Petersburg.

    1. John Robson Silver badge

      Re: Hmmm...

      Yeah, ‘tasteful’ would set off most BS detectors...

  6. DNTP

    Industry Standard

    "...This is an industry standard," Agrawal said of the non-functioning security feature.

    1: If this was an intentional joke from The Reg, it's freaking genius, because 2: I suspect its mostly true.

    1. Doctor_Wibble
      Boffin

      Re: Industry Standard

      And note what else they have told us in the reassurances!

      e.g. no indications of anyone outside the company being able to even view the file tells us nothing:

      - as there was no indication of the logfile accidentally saving all these passwords completely by accident in the first place

      - it could have been accessed by anyone inside the company any number of times

      - how do they know, was access to the newly-discovered unknown file being logged somewhere?

      1. Doctor_Wibble
        Unhappy

        Re: Industry Standard

        Talk about misjudged comments, looks like I offended the Twitter PR department!

        But on the bright side, a valuable learning experience for me, at no cost...

  7. tempemeaty
    Alert

    Phone Number Grab Coming?

    I think Jack is just going to use the opportunity to make you give him your phone number. Do you trust his civil war calling ass with your phone number? I don't.

  8. Anonymous Coward
    Stop

    I had a Twitter account once

    Occasionally I get the urge to comment on articles that use twitter for the purpose, and try to create a new account. but I always get the:~ "There is a problem with your account" banner and when I try to verify my account they demand my mobile phone number.

    Don't need two factor there.

    Some little social tool like Twitter is not important enough for that piece of information.

    so account creation fails.

    1. Anonymous Coward
      Anonymous Coward

      Re: I had a Twitter account once

      So does Facebook. It let's you to create a new account without a phone number. But it forces you to add a phone number to login in on the second day. It basically holds your profile in hostage until you add your phone number. You can't continue without giving away your number.

      A very shady UI pattern that should be regulated by the US, UK and EU laws maker.

      Though old accounts are differently handled, a 2006 account just shows a nag screen that has to be clicked away every fucking time.

  9. Tree

    Twitter bad!!

    You know they want to know everything about us. That password is just one of the things they know. They don't care about our happiness. Only your deepest secrets will be mined and sold.

  10. gBone

    I hope bcrypt does not replace the actual password with "a random set of numbers and letters"!

    1. Allan George Dyer

      I assume Parag Agrawal was making an entry for the Most Inaccurate and Confusing Technical Explanation Award.

  11. anothercynic Silver badge
    Facepalm

    At least...

    ... Twitter fessed up quickly. Unlike some other orgs!

  12. Anonymous Coward
    Anonymous Coward

    Ever Heard of Code Review, Coding Standards?

    This is exactly the kind of foul up that can be found in code reviews. How about a simple source code search for the uses of variables with 'password' in the name? Uses in lines of code that also have the word 'log' in them ought to be worrisome.

    Typical of today's coding ethos; write crap code, get away with it coz everyone else is writing crap code too. It's cheaper to apologise later than to do the job properly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ever Heard of Code Review, Coding Standards?

      Yeah, I've heard of them. Ever heard "Just fucking do it"?

    2. Arthur the cat Silver badge

      Re: Ever Heard of Code Review, Coding Standards?

      Typical of today's coding ethos; write crap code, get away with it coz everyone else is writing crap code too.

      I thought these days it's more a case of cut and paste crap code from StackExchange.

  13. Winkypop Silver badge
    Devil

    Stopped using Twitter a while ago

    I mean, even the President of the United States Twitter account has been hacked by an absolute moron. The guy who runs the account is clearly demented, so what's the point?

    Sad.

  14. J27

    This is honestly ridiculous, this is one of the easiest things to do properly. It's a shame the public has such a low level of knowledge of basic programming techniques, because if they knew anything about this they're realize that this is like handing their personal information over to the Bozo the Clown of the web.

    This is the sort of mistake that would cause a first year comp-sci student to fail an assignment, not the sort of thing you expect to see in a multi-million dollar corporation's flagship product.

  15. FuzzyWuzzys
    Facepalm

    "sorry"

    Ah, there's that word "sorry" again, issued after another cockup. "Sorry", it's the emotional Lira/Drachma of life, utterly worthless in real terms and losing value with each and every use.

  16. Nimby
    Trollface

    (as a best practice you shouldn't be reusing passwords anyway)

    I used to rail against the stupidity of this kind of statement. Over the years I have literally collected hundreds of registrations to different websites, services, etc. How can anyone sanely expect everyone in the world to be able to REMEMBER that many unique passwords?

    But recently, I realized just how easy it actually is! The trick is not to generate that many fully unique passwords. Generate one part that you remember, and one unique part provided by the service. For example:

    Twitter5ucks!

    Github5ucks!

    Facebook5ucks!

    Apple5ucks!

    Google5ucks!

    With this simple technique you can have a safe (assuming they stored your password correctly) and unique password for every single one of your hundreds of accounts.

    My only problem was at El Reg, where I had to actually invent a new password, because they don't suck. One out of hundreds. Not so bad.

    1. petethebloke

      Re: (as a best practice you shouldn't be reusing passwords anyway)

      That's a good idea if your password is never stored in plain text, but it falls over pretty quickly otherwise. Let's see if I can guess your password for pr0nhub.... um.... Pr0nhub5ucks! ??

      1. }{amis}{
        Trollface

        Re: (as a best practice you shouldn't be reusing passwords anyway)

        Nope P0rnHub!Blows!

    2. Swiss Anton

      Re: (as a best practice you shouldn't be reusing passwords anyway)

      For El Reg, move the ! to the front of the password.

      1. Korev Silver badge
        Joke

        Re: (as a best practice you shouldn't be reusing passwords anyway)

        >For El Reg, move the ! to the front of the password.

        Yahoo! That's! good!

  17. Nifty Silver badge

    So all websites store your plaintext passwords for batch-hashing later on?

    I’d always naively thought that passwords are hashed at moment of creation, leaving no opportunity for them to be stored on a website or database unhashed. I thought that hashing & salting was a one-way process and the result is only usable for matching. Where was my naive assumption wrong?

    Or: Due to a coding bug, a logfile was being written in plaintext of all passwords being created. And this logfile had been left running for years and years, long enough to acquire millions of plaintext passwords? Colour me skeptical.

    1. sabroni Silver badge

      Re: So all websites store your plaintext passwords for batch-hashing later on?

      The hashing runs on the server. You have to pass the password to the server for hashing. The alternative is to trust all the external devices to hash for you. You can't trust all the external devices.

      That's about the size of it, afaik.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like