How Twitter’s Password Screwup Might Have Happened

Last week, Twitter revealed that it had accidentally stored some user passwords in plain text, and thus suggested that all users change their Twitter password. It was bad. But honestly not that bad, according to Tristan Bolton, founder of enterprise cloud provider BoltonSmith. We talked to him about how it might have happened, and how it could have been worse.

Photo: Steve Voght

How it normally works

First, here’s what was supposed to happen to your password. As Twitter CTO Parag Agrawal explained when announcing the mistake, the service normally never stores your actual password. When you make a Twitter account or change your password, Twitter encrypts it by running it through an algorithm to get a “hash” – a long string that’s like a coded translation that only works one way. (It probably also “salts” the hash, so that if two people use the same password, the two stored hashes aren’t also the same.)

Twitter stores that encrypted hash instead of your actual password. Every time you log in, Twitter turns your entered password into a hash again, and checks it against its stored hash. If they match, it lets you in. If they don’t match, it doesn’t.

While you can always turn the password into the hash, you can’t turn the hash back into the password. (It’d be kind of like turning a smoothie back into strawberries and milk.) This means that if someone ever hacked into Twitter’s database of hashes, they still wouldn’t have everyone’s passwords.

Because people are hacking into databases all the time, it’s crucial that services don’t save users’ actual passwords. So, says Bolton, it’s become such standard practice that every computer science student learns it. Even small informal services usually turn passwords into hashes. This wasn’t always the case; it became much more common after multiple high-profile breaches that exposed millions of accounts.

What can go wrong

But Twitter says that at one point, it failed to do this. Bolton explains how that might happen: Developers often run their software in debug mode, which produces detailed logs of everything the software does. “When you are building an application, you often want very detailed logs to see what is going on to easily troubleshoot and/or verify that the app is working as intended,” he says.

But occasionally a developer forgets to turn off debug logging before taking a system live. This means that the system keeps logging data it doesn’t need – or data it isn’t supposed to log. And that can include unencrypted passwords. This, Bolton says, could be what happened at Twitter. (We asked Twitter to confirm; they declined to comment.)

Twitter’s response

According to Bolton, while the mistake was “very unprofessional”, Twitter’s response wasn’t: They alerted their users even though the risk was low, when they theoretically could have just hidden the incident.

While Twitter might not be heroes just for doing the right thing, they’re certainly a lot better than Equifax, which tried hiding its data breach for months, while its executives quietly sold their stock in a possible case of insider trading. And the SEC recently fined Yahoo $US35 million ($47 million) for hiding data breaches that exposed billions of accounts.

Sometimes, Bolton says, it’s actually appropriate to keep quiet about a data breach or mistake. If Apple discovers a vulnerability and needs a week to fix it, it might be safer to keep it secret until the fix is available. Otherwise hackers will have a free week to exploit the vulnerability. (The ethics of these choices are highly debated in the security world.) But in a case like Twitter’s, where the solution is immediately available, it’s best to inform the public.

There’s little risk that the passwords made it anywhere outside of Twitter’s now-deleted internal log, says Bolton. (Otherwise Twitter would need to force everyone to change their password, not just suggest it.) But there’s always a slight risk. You’re probably fine if you leave your front door unlocked today, but why take the chance?

So change your password, and if you used it anywhere else, change that too. (And never reuse passwords again.) Make your password long, and store it in a password manager. And turn on two-factor authentication so hackers need more than your password to log into your account.