Twitter Users Still Log in with Old, Vulnerable Passwords
Twitter users who changed passwords after last week’s cyber-attack still connect with the old, vulnerable passwords, according to The Register. Apps using the Twitter API, including the company’s own, allow access to the service without asking users to enter the new passwords.
“A password change performed on the web did not, however, cause Twitter’s own apps for iPad (under iOS 5.1.1 on an iPad 1) or iOS (under iOS 6 on an iPhone 5) to prompt us for the new password,” The Register said. “Instead, it remained possible to post tweets from both.”
Users complained only after deleting and reinstalling the apps were they prompted for a new password. Technology journalist Alex Kidman also tweeted from an Android handset without being required to enter his new password.
“TweetDeck and other clients use OAuth, so as long as you don’t sign out, you don’t have to re-input your credential every time you open the app,” a Twitter representative told The Register.
OAuth is an open standard for authorization that uses two types of tokens, allowing clients to access server resources on behalf of a resource owner. Access tokens establish an authenticated link between users and the online service, while refresh tokens sustain and extend the authentication, initiating new sessions.
Twitter announced it had been hacked on Feb. 1. About 250,000 out of the 200 million active users had their passwords, usernames, emails and other personal details stolen. The cyber-attack may be part of a larger hacking movement related to the recent New York Times and the Wall Street Journal breaches.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Twitter’s Director of Information Security Bob Lord said. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
All Twitter users should reconsider their passwords and security status. Here are some tips and tricks:
- Make sure you use stronger password on all accounts. Some apps may help you manage passwords, but the best way is to memorize them or write them in an old-fashioned notebook. Find your own encryption algorithm starting from a main password that means something to you and nobody knows or could guess in a social engineering attack. Your mother’s maiden name and your pet’s name are common security questions by e-mail and banking services, and they are easy to find on social network accounts.
- Avoid using the same username or password combination for multiple websites. Try to be unpredictable and choose passwords of ten characters or more with mixed types of characters: upper- and lowercase letters, numbers, and symbols.
- Ignore grammar when writing passwords, recent research says. Grammar, good or bad, offers clues to hackers because it narrows the possible word combinations and sequences. A password with more nouns could be more secure than one composed of “pronoun-verb-adjective-noun.”
- Make sure your passwords aren’t newcomers in the scariest 2012 passwords list, nor will they be included in this year’s top. “Jesus” and “Ninja” joined older entries such as “password”, “123456” and “12345678” in the list of the weakest passwords. Other newcomers included “welcome,” “mustang”, and “password1.”
- Remember to check security settings of your browser. Some “remember passwords for sites” by default. Disable that option, as it can allow hackers to steal your passwords when they abuse browser vulnerabilities.
- With Twitter users expecting to be warned to change passwords, phishing campaigns will target them to steal their personal details. Don’t click links allegedly from the microblogging network, and type your username and password directly in the browser.
- Make sure your security software is always updated. If you haven’t already, install an antivirus solution that will protect your from e-threats, malware attacks, phishing and spam.
- For social network accounts such as Twitter and Facebook, use the Bitdefender free application Safego that will protect you and your friends from the latest cams. On Twitter, Bitdefender Safego scans for and detects fake profiles set up to flood your Twitter account with spam. It also filters your feed for tweets that may contain malicious links to phishing or malware pages.