Facebook and Twitter: weak passwords and insecure users are the cause of security issues

According to the Techradar.com newswire, Del Harvey, Twitter's director of trust and safety, said that the Twitter IT security team numbers around the 20 mark, out of an employee headcount of 160 at the Twitter offices.

Harvey explained that the Twitter is trying to get users educated about security.

"Everyone knows at least one person who says 'I use the same password on every site – but it's a really good one', or 'I use different passwords on every site – I take the first letter of the site and the last letter of the site and then I put my birth year in the middle'", he said.

Ryan McGeehan, Facebook's security manager for incident response, was apparently also in internet user blaming mode, saying that: "Awareness is a major thing for us, too. The number of individuals who use the same password across multiple sites is astounding."

"So, for instance, if some obscure web forum that you are a part of gets compromised and the database gets leaked, and the passwords are stored in clear text, then the person who stole that database decides to try all of those usernames and passwords on other sites the success rate is astounding", he said.

"It's an awareness issue; it's a security issue for any site that is dealing with usernames and passwords", he added.

Harvey and McGeehan's comments have drawn criticism from the IT security industry, most notably from Imperva, where Amichai Shulman, chief technology officer with the data security specialist, who said that internet history has shown that, if you mandate users to do something in return for a free service, they will do what you want – which is good news on the password front.

According to Shulman, social networking site operators should not tell uses what software they should have on their computers – the companies should start to take responsibility and ownership of the user security issue, and act accordingly.

Website operators, he explained, should seriously acknowledge their responsibility to these security issues rather than simply throw them back at their users.

The internet, he went on to say, is still a relatively new and exciting experience for many users and, whilst a lot of companies are making a profit from this brave new world, there is still a need for those same businesses to invest in educating their members about the need for secure passwords.

"Requiring users to set up a secure password won't detract from the numbers of users flocking to these free-to-use services, but it will dramatically boost their security", he said.

"And making the services more secure will gain the longer term trust of the membership, which will be repaid as those users tell others about their experiences," he added.

What’s Hot on Infosecurity Magazine?