Twitter CTO Parag Agrawal approached the company’s 330 million users on Thursday with an unusual security message: We made a mistake, he said. We haven’t been breached, but could you please consider resetting your password?

“Due to a bug, passwords were written to an internal log before completing the hashing process,” Agrawal wrote in a blog post revealing that the service had been storing user passwords before encoding them for internal use. It’s a standard industry practice to cryptographically protect user passwords through hashing, which transforms a string of characters (like a password) into a number that represents the original string. To store them, and store them unencrypted, is decidedly not.

“How is it possible for a company to make a mistake like that? And how the hell are they logging passwords at all?” says John Adams, who led Twitter’s security team from 2008 to 2012.



READ MORE ON PASSWORD SECURITY

Backing WebAuthn, tech giants inch closer to killing passwords
Shape’s Blackfish could stop password thieves cold
Apple ransom highlights danger of credential stuffing
What to do when your password gets reset
Passwords, hackable yet accessible, are poised to stay popular
How YubiKey could double-lock your online accounts


Agrawal says Twitter did not suffer a data breach, nor has the company found evidence of misuse, such as a Twitter employee accessing the logged passwords. (It is unusual, but not unheard of, for employees of major online services to abuse their access to user data. This week, for example, as Facebook announced its new dating service, it fired a male security engineer at the company for allegedly using his access to stalk female users.)

While Agrawal requested that Twitter users choose new passwords to protect their accounts, the company chose to not force its users to reset their passwords. A Twitter representative declined to say when the company learned of the logged passwords, or why it chose not to require Twitter users to reset their passwords.

The Twitter representative reiterated that the company “encourages” its users to reset their passwords, and is rolling out user notifications over email and in its apps.

I don’t understand why [Twitter] wouldn’t want to reduce uncertainty and doubt. If you have 330 million users, and you can’t handle a mass password rotation, you should talk about hanging up hats somewhere.”—Jessy Irwin, head of security, Tendermint.

There are many reasons that a service might not want to force a user password reset, such as making it more difficult to log in, or skewing monthly active user numbers in either direction, says Jessy Irwin, head of security at Tendermint, a startup that helps blockchains communicate with one another.

“Twitter did the right thing, but it’s table stakes. This is the bare minimum for doing right by your users,” she says, but it leaves unanswered the bigger question of why this was serious enough to request a password reset, but not serious enough to require it—a choice that software development platform GitHub made on Tuesday, albeit for a smaller number of users.

“I don’t understand why [Twitter] wouldn’t want to reduce uncertainty and doubt,” Irwin says. “If you have 330 million users, and you can’t handle a mass password rotation, you should talk about hanging up hats somewhere.”

For Twitter users who decide to change their passwords, Agrawal made four additional recommendations:

  • Change your password for any other service where you used the same password.
  • Replace it with a “strong” password that you do not use elsewhere.
  • Add log-in verification, more commonly known as two-factor authentication, which adds an extra, one-time passcode to the log-in process.
  • Use a password manager to keep track of passwords.

Mike Wilson, CEO and co-founder of PasswordPing, a service that provides notifications about compromised credentials and breaches, says Agrawal’s advice is a good start but incomplete. The oft-repeated advice of making passwords a lengthy string of numbers, letters, and special characters that are impossible to remember is no longer considered a good security practice.

It’s better, he says, to follow the June 2017 advice from the National Institute of Standards and Technology, creating passwords that are a long but memorable sequence of simple words, in common English. And although most people don’t use two-factor authentication or password managers—surveys in 2017 found that only 28 percent of Americans have ever used two-factor authentication, and only 12 percent currently use password managers—both are crucial tools for consumer account security, Wilson says.

“Given that these are consumer accounts, it’s less dangerous, if you’re already using 2FA [two-factor authentication], but if you’ve got a high-profile account, I’d go ahead and reset it,” he says. “But first and foremost, use a password manager.”