Twitter glitch exposes glaring security issue: ‘We need to ditch the password completely’

The inventor of the computer password calls it 'a bit of a nightmare'

Anthony Cuthbertson
Friday 04 May 2018 11:00 EDT
Comments
Twitter told all 330 million of its users to change their passwords following a 'bug'.
Twitter told all 330 million of its users to change their passwords following a 'bug'. (REUTERS)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Revelations that Twitter stored the passwords of all 330 million of its users without encryption highlights how the outdated verification method needs to be replaced, according to security experts.

In a blogpost on Thursday, 3 May, Twitter’s chief technology officer blamed a bug in the company’s system that stored passwords in plain text on an internal log. Parag Agrawal said there was no evidence of misuse but urged users to change their password out of “an abundance of caution”.

Fittingly, Mr Agrawal’s announcement came on World Password Day, which aims to draw attention to vulnerabilities that result from having a weak password—but simply changing a password may not be enough to protect people’s online accounts.

“Even though Twitter users’ details were not exposed to malicious actors in this instance, it just goes to show that relying solely on usernames and passwords is irresponsible,” James Romer, chief security architect at cybersecurity firm SecureAuth and Core Security, told The Independent.

“With the majority of data breaches occurring due to lost and stolen credentials businesses need to look seriously at how they provide identity security. Ultimately, we need to ditch the password completely.”

It is a view shared by Brett McDowell, executive director of the Fast Identitiy online (FIDO) alliance - a global non-profit trade association developing technical standards for new authentification methods.

"Passwords are no longer fit for purpose, a fact highlighted in numerous studies that attribute password compromise as the root cause for the vast majority of data breaches that have taken place in recent years," Mr McDowell said in an emailed statement.

“This story demonstrates exactly why we don't want our credentials being stored and managed in central databases, they become vulnerable to mass exposure."

It is not the first time security experts have looked towards a post-password future, with major cyber security breaches continuously exposing the vulnerability of passwords as a method of verification.

Even the man credited with inventing the computer password in the 1960’s refers to them as “a bit of a nightmare,” and says he never expected them to become so ubiquitous. Fernando Corbató created the first known computer passwords more than 50 years ago, long before the advent of the World Wide Web.

“We didn’t foresee the current internet,” Mr Corbató told The Wall Street Journal in 2014. “Passwords are not a super high level of security, but are enough to protect against casual snooping.”

In this photo illustration, A woman is silhouetted against a projection of a password log-in dialog box on August 09, 2017 in London, England. With so many areas of modern life requiring identity verification, online security remains a constant concern, especially following the recent spate of global hacks.
In this photo illustration, A woman is silhouetted against a projection of a password log-in dialog box on August 09, 2017 in London, England. With so many areas of modern life requiring identity verification, online security remains a constant concern, especially following the recent spate of global hacks. (Getty Images)

Despite their flaws, there is currently no clear successor to passwords. Increasingly, companies are adopting biometrics to confirm a person’s identity, such as their fingerprint or facial features, however this requires specialist hardware that is usually only found on high-end smartphones.

Other more leftfield options include embeddable chips, electronic tattoos and password pills that transform a person’s body into an authenticator. All of these were developed by the inventor Regina Dugan, who has worked at both Google and Facebook, however none are likely to see widespread adoption.

Instead, companies need to look towards what Mr Romer refers to as “adaptive authentication”, which combines techniques such as geographic location analysis and device recognition in order to determine who is logging onto an account.

While new verification methods will make devices and online platforms safer from hacks and attacks, ultimately they will need to be simple and easy to use if they are ever to be used on the same scale as usernames and passwords currently are.

“Ultimately, if done properly moving away from passwords would make things far easier for end users,” Mr Romer said.

“Passwordless solutions are more secure, and provide less friction for the user and forgotten and stolen passwords would be a thing of the past.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in