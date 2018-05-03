Twitter Says Glitch Exposed 'Substantial' Number of Users' Passwords In Plain Text (reuters.com) 23
Twitter is urging its more than 330 million users to change their passwords after a glitch exposed some in plain text on its internal computer network. Reuters is first to report the news: The social network said an internal investigation had found no indication passwords were stolen or misused by insiders, but that it urged all users to consider changing their passwords "out of an abundance of caution." The blog did not say how many passwords were affected. Here's what Twitter has to say about the bug: "We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard. Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."
The social networking service is asking users to change their password "on all services where you've used this password." You can do so via the password settings page.
You could, of course, just read the blog post to get your answer. But since you're not only an anonymous coward, but a lazy and/or incompetent one as well:
"We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.
Ok, that's it. Can anyone recommend a reputable life lock style service? One that isn't owned by the same incompetents who created this endless fuckstorm?
It's clear I need once, since there's no level of care I can take that will compensate for every single service I use being completely untrustworthy.
yo maybe you could use unique passwords
then when some stupid social media site gets hacked they dont have the login to ur bank
just sayin
Even with a good password vault, if basic security practices aren't in force, your data is up for grabs.
And your data is stored in so many places. It is, these days, not a matter of "if" but "when".
Passwords are not my concern per se. This is a symptom of endemic categorical incompetence. Plaintext. Holy hell! Plaintext!
I have to accept that my data can't be protected....scratch that, hasn't been protected and has been completely exposed many times for decades. I have to operate with that as the understanding. Security practices are only an option if I can trust service providers to...FUCKING PLAINTEXT!
Twitter is urging its more than 330 million users to change their passwords after a glitch exposed some in plain text on its internal computer network.
Remember couple years ago when the oft-quoted number of Twits was ~500 million? Ouch on the downgrade. They can hate on Trump internally all they want, he closes his account their total traffic goes down by 10% probably. Twitter needs Trump...think about that one for a sec.
I... that... look, that's... that's not how it works. Not at all.
If something is failing now, saying "The problem is they might get rid of that person they're keeping on to" makes little or no sense.
Trump might be the reason 170M people are gone. Or it might be the Neo-Nazis. Or it might be the harassment squads. Or it might be that their website is shitty and they keep adding "Features" nobody wants that actually makes it harder to use, like that idiot "Let's treat "likes" like "retweets"" thing they
They didn't store the password in plain text (intentionally). They appear to have a user action logging system that logged user inputs, including the password field. Just as dangerous, but at least they gave it some thought.
One site being affected by bug this is a fluke. Two being affected by the same bug is a pattern.
This seems like an awfully convenient way for someone to maliciously gain access to somebody else's account on sites that do stupid things like locking you out after a certain number of failed login attempts:
I don't understand why anyone would use bcrypt. Although scrypt is newer and in terms of security, that usually means safer. scrypt requires a lot more memory which isn't a problem for their servers when comparing hashes, but it blocks FPGAs from brute force attacks.