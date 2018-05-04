Twitter Password bug: Here’s why all users of the service need to change their password. (Image: AP) Twitter Password bug: Here’s why all users of the service need to change their password. (Image: AP)

Twitter users will have to reset their passwords, thanks to a new bug discovered by the company where passwords were stored unmasked in an internal log. Twitter’s Chief Technology Officer (CTO) Parag Agrawal posted on the company’s blog explaining why users will have to change their passwords. The blogpost reads, “When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log.”

Twitter says they have fixed the bug and the company’s investigation showed there was no breach or misuse by anyone of this particular bug. The post adds, “Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.”

So what went wrong with Twitter’s password protection features? The blogpost explains that Twitter will mask the passwords via hashing using a function known as bcrypt. In this, the actual password is replaced with set of numbers, letters, which are then stored in the Twitter system. These are used to confirm account credentials without revealing the actual password. Hashing of passwords is a common industry practice.

However, in Twitter’s case the passwords were written to an internal log before the hashing process was completed. The problem here is that Twitter had an internal log where all user passwords were written and this opens up potential for misuse, both from outside and within the company. Twitter claims once they discovered the ‘error’, they removed all passwords and are “implementing plans to prevent this bug from happening again.”

While Twitter claims it is confident that no user password information left their system or was misused, it is still recommending that all users change their Twitter password. According to Twitter, users should change their password on Twitter and on any other service where they have used the same password. It should be pointed out that reusing passwords across different services is not recommended for user safety. For each service, users should rely on a unique, strong password.

Twitter users can also enable login verification or two-factor authentication to boost account security. They can get a verification code every time they login to Twitter or rely on an authentication app to generate code. Users can also rely on password manager apps to create strong, unique passwords for user across services.

