|
|
Twitter has warned its 330 million users to change their passwords after a glitch exposed some in plain text on its internal network.
The social network said an internal investigation had found no indication passwords were stolen or misused by insiders.
However, it still urged all users to consider changing their passwords "out of an abundance of caution". Link.
I don't think I'll bother.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. 200GB. Sync 67717/13670Kbps @ 600m. BQMs - IPv4 & IPv6Edited by RobertoS (Thu 03-May-18 22:30:48)
|
|
|
I don't think I'll bother.
I use 2-Step and also use a complete random made up password not used anywhere else along with its own email address, so unless they also have my phone they are not getting in.
Also the only people that would see those logged passwords would be Twitter Staff.
Paul
|
|
|
Leaks only occur from staff or contractors.
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. 200GB. Sync 67717/13670Kbps @ 600m. BQMs - IPv4 & IPv6 |
|
Register (or login) on our website and you will not see this ad.
|
|
|
Luckily I fixed all my problems with Twitter leaking passwords over a year ago. I deleted my account 
Plus the username and password for it were unique to Twitter so even if our friends at Twitter didn't delete the data it isn't going to do anyone any good.
|
|
|
So, they are storing passwords unencrypted ... why? And if they are visible to staff, how long before a hacker gains access to them?
And as passwords can be classed as personal data, then surely there is a potential breach of data protection.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
M H C
taurus excreta cerebrum vincit
|
|
|
So, they are storing passwords unencrypted ... why? And if they are visible to staff, how long before a hacker gains access to them?
And as passwords can be classed as personal data, then surely there is a potential breach of data protection.
No, they hash them with blowfish, but put the log before it hashed it, so the logs showed the passwords.
Paul
|
|
|
|
So for as long as the log is stored they are storing passwords unencrypted then. Looks like M H C has a valid point even if they are only stored for a short period time. After all, if the logs were not stored, how did Twitter know there were unencrypted passwords in their system?
|
|
|
So for as long as the log is stored they are storing passwords unencrypted then. Looks like M H C has a valid point even if they are only stored for a short period time. After all, if the logs were not stored, how did Twitter know there were unencrypted passwords in their system?
This might be true, I think they saw it when they did some looking into some server issues they had a little while back, this was probably when they saw it.
I know they said as soon as they noticed this they updated the site to resolve the security issue.
Sure it was a security issue, but most people including myself were fine due to using 2-Step login, so even if they get my password (which is random characters just for Twitter) they would also need my phone to login.
Paul
|
|
|
How do you know that most people use 2-step login? Or have they said so?
My broadband basic info/help site - www.robertos.me.uk. Domains, site and mail hosting - Tsohost.
Connection - AAISP Home::1 80/20. 200GB. Sync 67717/13670Kbps @ 600m. BQMs - IPv4 & IPv6 |
|
|
How do you know that most people use 2-step login? Or have they said so?
Well it was an assumption, best practices etc, plus everyone I know that go online are all using uses 2-Step to login where ever its supported.
Whether it being an SMS with a code or the use of an Authenticator, they use it.
Now are there people that don't use 2-Step to log in, yes there probably are.
But it only takes a few mins to set up and an extra step to take when you login the first time after activating it or if you login from a new device or when you link services to it, but that is no reason why you shouldn't add this extra security level to protect your account.
Paul
|
|
|
|
I still find it amazing that many often use only one possible two passwords across the whole range of login's they use internet wise.
Personally I'd always change a password in light of a company admitting to a possible breach. In my mind, it doesn't take long to update and can save you a whole bunch of hassle even if that's down the line.
|
|
|
I still find it amazing that many often use only one possible two passwords across the whole range of login's they use internet wise.
Personally I'd always change a password in light of a company admitting to a possible breach. In my mind, it doesn't take long to update and can save you a whole bunch of hassle even if that's down the line.
Agreed, I use different email addresses made specially for that service and use different random passwords for each.
So if one gets leaked I only have to change just the one password.
I was forced to change my Twitter password the other day and yes, it only took a couple of mins to do.
Paul
|
|
|
I still find it amazing that many often use only one possible two passwords across the whole range of login's they use internet wise.
What is wrong with having just one or two? I am sure there are services based in Russia, India, Nigeria etc where you just give them all your logins along wit te compromised password and they will update all of them for you. They might even do it free!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
M H C
taurus excreta cerebrum vincit
|
|
|
|
|
|
|
Bet they don't.
https://www.theregister.co.uk/2018/01/17/no_one_uses...
Well I must be one of the 10% then because I do, well where I can that is.
Paul
Edited by PaulKirby (Mon 07-May-18 11:53:14)
|
|
|
How were you forced to change?
Michael Chare
|
|
|
How were you forced to change?
The change password window popped up and I couldn't progress to the main page.
Its fine it was due for change anyhow.
Paul
|
|
|
Thank you. I don't use Twitter very much possibly not in the past 6 months, but when I did log in today I was not forced to change my password
Michael Chare
|
|
|
Thank you. I don't use Twitter very much possibly not in the past 6 months, but when I did log in today I was not forced to change my password
Maybe you wasn't affected by it due to you not using it much, I use Twitter everyday, so if the logs are only kept for a very short time I would of been affected by this issue.
Paul
|
|
|
How were you forced to change?
The change password window popped up and I couldn't progress to the main page.
Its fine it was due for change anyhow.
Paul
Must have been short lived as I have not used twitter for approx a year. Yet I was still signed in and tweeted with no prompts to change anything....
And YES I have had the email.
|
|
|
That does sound reasonable. I think I can safely leave my password unchanged.
Michael Chare
|
|
|
|
I tend to use 2 Step Login where I can and particularly where I know accounts are sought after and hence have value like Steam accounts.
Thinking back I had so many Computer games in nice large book sized boxes. Then came games on a CD, then DVD and now online.
My thinking is when they were in boxes you could perceive their value, but now all that value remains behind a password - scary really.
|
|
|
How were you forced to change?
The change password window popped up and I couldn't progress to the main page.
Its fine it was due for change anyhow.
Paul
Must have been short lived as I have not used twitter for approx a year. Yet I was still signed in and tweeted with no prompts to change anything....
And YES I have had the email.
You got an email, I got no email, I use Twitter everyday, maybe I was just unlucky.
Paul
|
Pages in this thread: 
Print Thread
RobertoS
