Twitter said to change your passwords, and they’re only half right
Last week Twitter disclosed all of its 336 million user accounts were at risk because the passwords were stored on an unprotected log file. As a Twitter user, I promptly changed my password and in the process discovered that over the years I had linked my Twitter account to dozens of applications, many of which I don’t even use anymore (hello TweetDeck). That prompted me to clean up my Twitter act. And then I sat down with Forcepoint’s chief scientist, Richard Ford, to make sense of what happened and what lessons we can glean on user identity and data protection.
Liem Nguyen: What’s your take on the Twitter issue – is this a serious problem or much ado about nothing?
Richard Ford: I think Twitter very much did the right thing here: they had no hard evidence that these passwords had been spilled outside their walls, but decided to go public to be sure. That’s a good step, and for that, they get a gold star, so well done Twitter!
Second, Twitter has provided support for two-factor authentication for quite some time, so if you have an account you really care about, using some form of 2FA would mean that even if your password was leaked, no real harm was done. So again, I’d consider all of that positive. There’s a lot of good to celebrate here, as odd as that sounds.
Broadening the aperture a bit, let’s talk about this in the sense of the overall ecosystem. As a security practitioner with over a quarter of a century (gosh, when I write it like that it sounds like forever!) experience, I’m still surprised that high-value accounts can be protected with just a simple password in 2018! We can and should do better, and I’d like to hope this is a bit of a nudge to do that.
LN: Did Twitter have to disclose this?
RF: While I cannot speak to the legal aspect, I will leave that to the attorneys, I will say “have to” is quite nuanced. Legally, there are breach notification laws that Twitter would likely be subject to – for example, California led the way here with requiring that applies to “to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” The shades of grey here are around whether the presence of the passwords in an internal log file for some period of time is covered.
In addition, Twitter is a global company, operating in multiple jurisdictions, so it’s possible that the answer would be “yes” in some places, and “maybe” or “no” in others. For example, when GDPR comes into effect, it comes with obligations around disclosure. Again, though, there could be discussion about whether this was “unlikely to result in a risk to the rights and freedoms” of the impacted users. It will be interesting to see how this is interpreted.
LN: Why do you think Twitter disclosed the potential breach? After all, there’s no evidence that these authentic credentials were misused.
RF: I can’t speak for Twitter, but I can offer a few reasons that I would have done it in their position. First, I might have concluded that this did pass the bar for legally requiring notification. In that case, you have a simple choice: break the law or do the right thing. Of course, you adhere to the legal obligations you have. Another possibility is simply what we might assume by reading this at face value: it’s out of an abundance of caution. Institutional trust is critical in the online ecosystem, so maybe the calculus was about minimizing downside risk in the event that someone had looked at those passwords and that information someday got out to the media, either directly or indirectly.
However, I prefer to think of this as a company just deciding to do the right thing and accept the publicity hit. There’s a risk to users, however small, and they decided that letting people know was simply the more socially responsible thing to do. I don’t believe social responsibility is dead – so in the absence of any other data, I’m going to go with that. Bluntly, I also think it’s smart; as I said before, in the event that it all came to light later after actual accounts had been breached, it would have been awful -- and avoidable.
LN: What’s the next step?
RF: I do think the bigger picture here is the shock (and some level of frustration) I have that we still rely on passwords as much as we do. To me, there are lots of more effective ways to at least bolster the protection provided. Most users continue to know the dangers but still reuse passwords or use passwords that are weak. There are alternatives, and I hope we adopt them more broadly over the coming year.
For starters, embrace 2FA (2 Factor Authentication), don’t reuse passwords, and you will be safer online, period. Even well-intentioned systems like Twitter can – as we’ve seen – inadvertently leak information to insiders. While defense in depth helps here (solutions that look at data exfiltration and file access, for example, would help determine that nothing was taken, at least in bulk), users have to be savvy and take a bit of control over their own destiny in order to minimize their own personal exposure.
In addition, having to remember lots of passwords results in security friction – and that’s bad for everyone (I just got back from the RSA Conference where I gave a talk on Cyber Fatigue. Friction is a major driver for bad practices). Even once a user is authenticated, there’s the concept of “continuous authentication” where a risk-adaptive system looks at behaviors to try and be sure they are not the result of a compromised account. It’s important to remember that authentication shouldn’t be viewed as a “single point in time” attestation, but also as a process (and a critical one at that).
As for me, I’ll be getting online as soon as I get done here and resetting my password… and just so we’re clear on this, “Password123!” would be a bad choice. Just saying.