Password Health
4 minute read | Last updated 3-May-2018 | 
Security, Culture Change
Twitter announced an unfortunately internal issue that exposed all users passwords in an unecrypted format. They were up front and honest about the issue and that should help minimize the risk.
Mistakes like this happen. It’s how a company handles that is the difference. Upfront and honest about them is by far the best approach.
Opportunity?
While it’s frustrating to have to change you Twitter password through no fault of your own, it shouldn’t be, but I’ll get to that a little further on.
Changing you password will bring you into the settings area of your Twitter account and this is where you can can three simple steps to increase your security and privacy;
- Change your password to a passphrase
- Enable “login verification” a/k/a multi-factor authentication (MFA)
- Review the 3rd party applications connected to your account
Passphrase
The first step is to use a passphrase instead of a password. A passphrase should be a collection of random words that have meaning for you. The easiest way to remember this is through a visual. NIST (a key standards & guidance organization) recommends a visual to tie it all together.
This fantastic XKCD cartoon sums it up nicely.
Better yet, instead of using your new passphrase to secure your Twitter account, you should use it to secure your password manager.
Password Manager
What’s a password manager? This is an app that should live on your desktop/laptop/phone/tablet that generates and stores all of your passwords for you. You set one strong passphrase to secure the app and the app will take care of the rest.
I don’t know my Twitter password (or Facebook or LinkedIn or any others). I know that each of them is a really long random string of characters that I could never remember in a million years. If I really wanted to, I could find out what each password is, but why would I want to?
I have memorized my strong passphrase and that unlocked my password manager every time I need to login to a service or application. The provided browser extension automatically fills in my credentials online and I simply copy & paste the credentials into native apps when needed.
Is it a perfect solution? No.
But it goes a long way to address the weaknesses of and risks associated with password usage.
Login Verification
Login verification is Twitter’s name for multi-factor authentication. This is a technique where something you have (like a smartphone or hardware token) or something you are (like a fingerprint or other biometric) is used with your username and passsword to authenticate you.
The idea is simple, a hacker can steal your username and password from a site or service but it’s unlikely that they also have access to your or your phone.
This is all about reducing risk and it’s a great solution that balances usability with security.
Turn it on ASAP!
3rd Party Applications
While you’re on the settings page, this is a great time to review the other applications you’ve connected to your account.
Over time, it’s only natural to connect more and more applications to your Twitter account. The questions you need to ask in a review are simple;
- Do you still use this application?
- Are the permissions it has appropriate?
A quick click will revoke the permissions for any application. If you make a mistake, most applications will prompt you to quickly reconnect the next time you login.
Stronger Than Before
This is a frustrating situation for sure but it’s also an opportunity to tune up your account health. The advice here should be applied to all of your social media accounts, not just TWitter!
Remember;
- Passphrase not password
- Use a password manager whenever possible
- Change a password every year or when there is a trigger
- Use multi-factor authentication (login verification on Twitter) everywhere
- Regularly review the 3rd party applications connected to your accounts
