Thursday, July 23, 2009

How Twitter got compromised

TechCrunch has published "The Anatomy of the Twitter Attack," a detailed account of how "Hacker Croll" used people's password-selection habits, use of multiple online applications, publicly available online information about people, and flawed "I forgot my password" mechanisms to gain access first to individuals' personal webmail accounts and then to Twitter's internal systems.

It's a good idea to use randomly generated passwords, stored in a password safe, so that they're different with every service you use. It's also a good idea to split personal and corporate accounts. Lately I've taken to using randomly generated information for my "I forgot my password" answers, as well, and keeping that in my password safe just like another password.

The "secret questions" for password recovery are a vulnerability when so much personal information is being shared on the Internet. That's how Sarah Palin's email account was compromised last year, as well.

4 comments:

Alex said...

I use the firefox Password Maker extension. This generates a unique password for each site, by hashing the hostname and a password I enter. This means that I only have to remember one password, yet no-one can capture the password I use on one site and reuse it. There are also versions for Opera and other environments.

Eamon Knight said...

Since I use the same password (as it happens, a reasonably strong one by the standards of guessability, even against dictionary attack) for multiple on-line activities, I've recently become concerned about this vulnerability (especially since for many sites, my login info now gets automagically filled in). I assume the idea is to somewhat automate the process of maintaining an encrypted file on your machine which indexes login IDs against passwords.

A brief Google search turns up some hits, but do you (being in the biz) have any advice what to look for?

Jim Lippard said...

Eamon:

Check out KeePass (http://keepass.info/) or PasswordSafe (http://passwordsafe.sourceforge.net/).

I use the former.

Trott said...

On balance, I like this article a lot. But it (unintentionally) seems to encourage cracking (by romanticizing the cracker) as much as it encourages everyone to employ practices that will keep their accounts safe. I suppose without giving the cracker a (more than?) fair shake, they probably wouldn't have gotten the story. Again, on balance, I think it's a great article. Certainly very interesting.

I use KeePass as well and would recommend it.