Security

Twitter bug exposed passwords; here's how to change yours

There's no indication that a recently discovered bug in Twitter's password storage was exploited, but the social media platform recommends everyone change their password to be on the safe side.


Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Twitter has revealed a flaw in its password hashing that resulted in a plaintext log of user passwords stored on one of its servers.
  • Twitter said there has been no leak of the log, and the problem is now fixed, but it recommends all users change their passwords just in case.

Twitter recently discovered a bug in its handling of user passwords that resulted in their being stored in plain text.

The company said that there is no indication of the plaintext password log being stolen or publicly exposed but said that users should change their passwords regardless.

TechRepublic sister site ZDNet said that Twitter didn't indicate how many passwords were stored in plain text, but that the number may have been "substantial," and that the log existed for several months.

Passwords stored by Twitter are hashed using a function called bcrypt, which turns them into a string of numbers and letters. When a user signs in, their password is linked to the hashed password and Twitter's system can verify it without ever directly seeing the password.

SEE: Password management policy (Tech Pro Research)

The bug occurred prior to the hashing process and resulted in passwords being stored in a plain text log that Twitter discovered internally. It has since been deleted and the company is taking steps to fix the flaw.

How to protect your Twitter account

Twitter recommends that all users reset their passwords on Twitter and on any services that use duplicate passwords.

Users logging into Twitter for the first time since the bug was revealed will see a popup window informing them of the issue and prompting them to change their password. The steps listed here assume you closed that window and are starting from your Twitter feed, as well as being logged in at Twitter.com as opposed to a mobile app.

  1. Click on your picture in the upper right hand side of the screen. That will open your Settings page.
  2. The third option on the left side of the Settings page should be Password. Click on that and you should see the screen shown in Figure A.
  3. Enter your old password along with a new one, which you'll have to type twice to verify.
  4. Click Save Changes, and you're all set.
twitter-password-change.png

Figure A

Image: Brandon Vigliarolo/TechRepublic

If you don't already have two-factor authentication enabled on your Twitter account now is the perfect time to turn it on. You can find a full how-to article on enabling Twitter two-factor authentication here at TechRepublic.

When changing passwords, don't continue bad habits. Instead, take the time to give your accounts an extra bit of security by doing the following:

  • Use a password manager to generate random passwords and store them for automatic retrieval.
  • Never duplicate passwords on multiple services. If one is hacked the attacker will likely try logging into other websites with your stolen credentials just to see if they work.
  • Use two-factor authentication whenever possible. It provides an extra layer of security that is hard to get around.
  • Use long passwords, not just numbers and special characters. Longer passwords consisting of phrases are much harder to crack than adding a one and an @ to the end.

Also see

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox