Twitter is asking all its users to change their passwords - and also for all other services they use that same password on. So read this and then go and change it!
The company is effectively erring on the side of caution by asking everyone to do this, but it's still worth figuring out why.
Like other companies, Twitter uses encryption to store passwords so they can't be got at. However, the company's IT bods recently identified a bug that stored passwords "unmasked" in an internal log. Yes, that means they stored them in plain text.
Twitter says it has now "fixed the bug", although it sounds like amateur hour to us.
Is there evidence of wrongdoing?
Twitter says not and claims that it is asking everyone to change passwords "out of an abundance of caution". The company adds that "our investigation shows no indication of breach or misuse by anyone...we are very sorry this happened. We recognise and appreciate the trust you place in us, and are committed to earning that trust every day".
How to change your Twitter password
You may well see a screen like the below screenshot asking you to change your password when you log in.
If you don't, go to Settings and Privacy > Change Password on the Twitter website or Settings and Privacy > Account > Change Password on the mobile app.
If you've no idea what your password was anyway, then go to Twitter's password reset page.
What else you should do
We always enable login verification, also known as two-factor authentication, for every account we possibly can. This is the single best action you can take to increase your account security - essentially requiring a code from a second device (one that's already logged in). It can also send you a code by text. Check out our article What is two factor authentication and why you should use it.
That article will also tell you how to enable two-factor authentication for Apple, Google, Facebook and more.
To register for two-factor authentication on Twitter, go to Settings and privacy, then Account. Then to Set up login verification and enter your password when prompted. You’ll be asked to confirm your mobile number if you already have one registered with Twitter. You’ll then be texted a code.
Once you’ve entered it into the app or site, you’ll be enrolled in two-factor authentication.
Twitter also gives these other tips says you should use a strong password that you don’t reuse on other websites (pretty obvious) and use a password manager to make sure you’re using strong, unique passwords everywhere. This latter point is easier said than done. While password managers like LastPass work on some platforms and browsers, they don't work across everything you use.
How does Twitter normally store passwords
Twitter says it masks passwords through a process called hashing using a function known as bcrypt which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows Twitter's systems to validate your account credentials without revealing your password. This is an industry standard.
How to choose a strong password
Check out these top tips from Raj Samani, Chief Scientist and Fellow at security company McAfee:
- Create strong passwords. Never use family names, pets, birthdays, “12345” or “password”. Many websites and apps will prompt you to include a combination of numbers, lowercase and uppercase letters, and symbols and this is for good reason. The harder your password is to guess, the harder it is to crack.
- Use unique passwords for each of your accounts. Today’s hackers are smart, if one of your passwords is hacked, there is a high chance the hacker will try and hack all of your accounts. Use different passwords to ensure your critical information across email, social media and banking apps is protected.
- "Forgot password" problems. Relying on ‘forgot your password’ link as a fallback option within a webmail service or other site isn’t a wise move. The answers to the questions asked to unlock your account are often easily found on social media profiles of yourself or your friends or family, making the code easy to crack for hackers.
- Use a password manager. All of the above is great, but how are you supposed to remember 20 or more unique passwords? The answer is simple: a password manager. A password manager will help you to create complex and strong passwords and auto-saves them so you don’t have to remember each and every one.
- Double up on protection. Advances in biometric technology such as fingerprint scanning and face and voice recognition are helping to improve security. Using a password in conjunction with at least one other authentication technique will help to protect your devices and data.
Liked this? Check out Twitter tips for beginners