How the Twitter Password Error Could Have Happened
Twitter revealed last week that it accidentally saved some users’ passwords in plain text , and therefore suggested that all users change their Twitter passwords. It was bad. But honestly, it’s not all bad, according to Tristan Bolton, founder of enterprise cloud provider BoltonSmith. We talked to him about how this could have happened and what could have been worse.
How it usually works
First, this is what should have happened to your password. As Twitter CTO Parag Agrawal explained when announcing the bug , the service usually never saves your valid password. When you create a Twitter account or change your password, Twitter encrypts it using an algorithm to produce a “hash” – a long string, similar to an encoded translation, that only works in one direction. (It probably also “salt” the hash, so if two people use the same password, the two stored hashes do not match either.)
Twitter stores this encrypted hash instead of your actual password. Every time you log in, Twitter turns the entered password back into a hash and compares it to the stored hash. If they match, this allows you to log in. If they do not match, they are not.
While you can always turn a password into a hash, you cannot turn a hash back into a password. (This would be like turning the smoothie back into strawberries and milk.) This means that if someone ever breaks into Twitter’s hash database, they still won’t get all the passwords.
Since people are constantly breaking into databases, it is very important that the services do not store the actual passwords of the users. So, Bolton says, it has become such a standard practice that every computer science student learns it. Even small informal services usually turn passwords into hashes. This has not always been the case; it has become much more common after several high-profile hacks that have resulted in the discovery of millions of accounts.
What could go wrong
But Twitter claims that it once failed. Bolton explains how this can happen: Developers often run their software in debug mode, which keeps detailed logs of everything the software does. “When you build an application, you often need very detailed logs to see what’s going on, to easily troubleshoot and / or make sure the application is working as expected,” he says.
But sometimes a developer forgets to turn off debug logging before starting the system. This means that the system continues to log data that it does not need or data that it should not log. And that can include unencrypted passwords. This, according to Bolton, could be what happened on Twitter. (We asked Twitter for confirmation; they declined to comment.)
Twitter response
While the error was “very unprofessional,” Bolton said Twitter did not respond: they warned their users, although the risk was low when they could theoretically just cover up the incident. While Twitter cannot be a hero just because it does the right thing, it is certainly much better than Equifax, which has spent months trying to hide its data breach while its executives quietly sold their shares in case of insider trading. And the SEC recently fined Yahoo $ 35 million for hiding data leaks that have uncovered billions of accounts.
Sometimes, Bolton says, it’s really appropriate not to talk about a data breach or error. If Apple finds a vulnerability and it takes a week to fix it, it might be safer to keep it under wraps until a fix is available. Otherwise, hackers will have a free week to exploit the vulnerability. (The ethics of such a choice is widely debated in the security world .) But in a case like Twitter, where a solution is available immediately, it is best to inform the public.
There is a small risk that the passwords may have ended up somewhere outside of the now-deleted internal Twitter log, Bolton said. (Otherwise, Twitter should have forced everyone to change their password, not just suggest it.) But there is always a small risk. You’re probably okay to leave your front door unlocked today, but why risk it? So change your password, and if you’ve used it elsewhere, change that too. (And never reuse passwords again.) Make your password long and store it in your password manager. And enable two-factor authentication so that hackers need more than your password to log into your account.