Twitter is advising all of its more than 330 million users to change their passwords ASAP after the firm discovered that user passwords had been inappropriately stored in plain-text in a log file.
While Twitter made the recommendation out of an “abundance of caution” it noted explicitly that its investigation to date has not found any evidence that any of the at-risk passwords were actually obtained by unauthorized parties or otherwise compromised.
I am puzzled as to how Twitter ended up storing passwords in clear text in a log file — in production environments, website and app login passwords are supposed to be immediately hashed when created, and only the hashes stored anywhere — but, somehow, this situation arose.
Of course, changing passwords after such an incident is theoretically ideal, and one can understand why Twitter would issue such advice (especially from a liability-reduction standpoint).
But, for many people, changing passwords might be a bad idea. And Twitter’s advice also has a dangerous downside.
If changing your password on the Twitter site in a panic now is going to lead to your creating a weak password that you can more easily remember it is probably better to do nothing than to change your password. Remember, Twitter has not detected any unauthorized access, so if you have not seen any signs of problems with your account to date, the odds that your password was actually compromised are likely tiny when compared with the odds that a weak password created now could lead to problems in the future. Of course, you should also be using multi-factor authentication for Twitter, and, if you are using your Twitter password elsewhere, you should strongly consider changing your practice.
But, there is a bigger issue that should be raised: Telling people to change passwords when they don’t really need to do so increases the risk that they will ignore advice to change passwords when doing so is truly necessary. If people who change their passwords now, for example, find out that none of their friends changed theirs, and, yet, none of those friends suffer any breaches of their Twitter accounts in the upcoming weeks, all involved are less likely to listen to cybersecurity experts when the latter recommend making password changes in the future – even if (and when) situations arise in which changing passwords is critically important.
Furthermore, there is a small, finite number of times that people can be told to change passwords before an inverse correlation develops between the frequency that they are forced to change their passwords and the strength of their passwords, so asking folks to change passwords when doing so is not really necessary may harm security (even at Twitter itself) more than it helps.
Hence, while Twitter’s notification about the passwords put at risk is certainly laudable – such notification goes beyond contemporary norms – its recommendation to change passwords in such a situation of little actual risk may be of little true security benefit to Twitter (other than from a liability-reduction standpoint), but likely increases cybersecurity risks at a macro level.
To learn more about why you should not change your password after most data breaches please see the article Why You Should Ignore Everything That You Have Been Told About Passwords.
The following is the alert that Twitter gave to users: