Password Security Issues Raised when Twitter Hacked

The New York Times reported in Twitter Hack Raises Flags on Security that a hacker had broken into confidential information about Twitter by breaking into a Twitter employee’s email account.

Once in the email account, the hacker gained access to the employees Google Docs information, where much of the confidential data about Twitter is stored. Then the hacker sent the confidential information to Michael Arrington at Tech Crunch. Tech Crunch published some of the documents. A controversy arose over whether Tech Crunch was right to publish stolen documents, but I’m going to leave that topic alone for now.

Instead, I want to focus on what you can do to protect yourself from password hackers.

When a whole business can be exposed based on the vulnerability of one employee’s password, it’s time to think about making your passwords more secure. As SEO Techniques and Tips explains in Twitter Hacked! More online security concerns crop up,

The techniques used by the attackers are just a small part of a broader trend promoted by different technology companies toward storing more data online, instead of computers under your control.

The shift toward doing more over the Web – a practice known as “cloud computing” – means that mistakes employees make in their private lives can do serious damage to their employers, because a single e-mail account can tie the two worlds together.

You’re probably a blogger, or on Twitter. You’re revealing your name, your city, your kid’s names, your dog’s name, your birthday. All that is now public information. So the first rule of safe password building is don’t use anything obvious and personal like your kid’s name.

You have to come up with something unique and not related to your personal information.

When Megan Smith asked BlogHers what they do to keep track of passwords, one suggestion from TW was to use song lyrics.

Solution: Song lyrics. For example baa baa black sheep have you any wool? becomes Bbbshyaw00l?

This is a great idea for random character generation for passwords, particularly if you replace some of the letters with numbers and use a mix of upper and lower case as TW’s example shows.

Now that you have a random password you can remember, you can use it everywhere, right? Nope. Wrong. Do not use the same password everywhere. Particularly with important sites like banks, Google Docs or other storage in the cloud, PayPal, and your credit card company. You need a strong and unique password for each important site you visit.

What constitutes a secure password? In this article on Passwords at Time Goes By, I suggested 7 characters. My programmer friend Taylor came along and responded that you need at least 8 characters.

The first thing is password length. Be sure your passwords are at least 8 characters not 7 as the article suggests. The difference between 7 and 8 is significant. Given a character set is roughly 52 alpha characters (upper/lower) + 10 digits + ~12 symbols or 74 characters total:

7 char password gives 12,151,280,273,024

8 char password gives 899,194,740,203,776

What that means is it will take a good deal longer for someone to try to brute force crack the 8 char password.

If the site is important (eg. banking) and supports more than 8 characters then use the extra characters. Many banks support up to 16 now days.

If you’re like me, you are running into memory issues about now. Unique passwords of 8 characters or more that are random sets of characters for all your important sites—how do you track all that?

Software is the answer for many people. Taylor suggested the free choice GnuPG. Miraz at MacTips suggests 1Password. In Share files easily with Dropbox, Miraz says,

I use the fabulous 1Password to store all my passwords.

1Password is available as an iPhone app. To get into it on your phone, you need a PIN and a master password. Make sure both of these are secure.

Some people write all their passwords down in a notebook and store the notebook in a secure location like a safe or a bank safety deposit box. This is a good practice if your relatives know where the notebook is, because they may need to access the accounts in the event of your death. A secure location for the notebook is not in the same carrying case that you use to lug your computer through the airport, or under the keyboard of your computer.

Tell that one trusted relative with a need to know how to find your passwords in the case of an emergency.

Cross-posted at BlogHer.

Leave a Reply