In today’s world, one of the most important cog in cyber security is a password. Passwords are the first step to user authentication and should be kept secure. Passwords, while easy to make up and use, can be devastating if exposed as is evident from recent hacks like Equifax and Deloitte. You need to change your password every once in a while so as to safe from any data leaks that might have compromised them, like in the case of Twitter.
What really happened
Recently, Twitter asked all its 300+ million users to change their passwords as soon as possible because of a glitch in their system which allowed passwords to be exposed momentarily in the system. Websites usually store passwords by ‘hashing’ them. Hashing is a method by which websites randomize the password according a hashing algorithm. This scrambles the password and as a result, characters in the ‘hash’ are completely different from the original password. It is the hash that is then stored in the website’s database. When you log in to the website again, it converts your entered password to the hashed value and checks it against the value that is stored in the database. You are logged in if the passwords match.
In Twitter’s case, they had used hashing to store passwords. But before storing it in the database, it was being stored in an internal computer’s log. This could have potentially exposed all the passwords to an outsider if their internal system got hacked. Twitter has not mentioned how many passwords were affected but I would advise all to change their twitter passwords to be on the safer side.
“We fixed the bug and have no indication of a breach or misuse by anyone,” Chief Executive Jack Dorsey said in a Tweet. “As a precaution, consider changing your password on all services where you’ve used this password.”
As Jack said, if you are using this password on other services and websites, consider changing them as well. You should not use a password on more than one website. Password managers are a good method to have random passwords that are difficult to break and also easy to maintain. You can read all about password managers here.
How to change your password
To change your password, click on your profile photo on the top-right corner of the screen (for browsers). From here, select Settings and Privacy and then Passwords. Change your password to a more secure one. For more protection, you should set up multi-factor authentication which adds an extra layer of protection to your account.
Password hashes are irreversible
One of the most important properties of password hashes is that they are irreversible. This is the reason why when you click on ‘Forgot your password’, you are not provided your original password. Instead, the website asks you to set a new password. Similarly, if a website returns your original password, it can be confirmed that do not ‘hash’ their passwords. Be very careful in using that website and do not have any confidential information on that website.
Passwords are insecure and should not be the only way to authenticate yourself. Experts say they will soon be phased out giving way to bio-metric scanning and multi factor authentication. Consider using two-factor authentication which makes sure that you have another piece of security verification(one time pin, text message to phone/ email) so that your account will be safe even if your password is exposed. But until two factor authentication is implemented on a large scale, we need to make sure that our passwords are safe and not easy to crack.