Twitter breach: Time for new password approaches?

It is likely that the hackers, who gained access to multiple Twitter accounts and started sending spam tweets asking for $250, were able to accomplish their goal thanks to the widespread practice of using weak passwords for convenience or, worse, using the same password everywhere. Ironically, it could be password security requirements that make such behavior so common.

For instance, prevailing dogma holds that security passwords should be complex and frequently changed. But Andrew Jaquith, CTO of Perimeter E-Security and former Forrester analyst on password security, offered a countervailing opinion in an emailed statement to Infosecurity.

“Requiring employees to change their passwords every 90 days just annoys them, and they will do highly insecure things to cope as a result,” he said. “They will scribble passwords on sticky notes, re-use the same password everywhere or make the absolute smallest changes to their passwords that they can while still complying with policy.”

For example, an employee might pick a “complex” eight-character password that includes the number one. And when they change it, they simply increment the 1 every 90 days – a dream for a hacker who is well ready to exploit the widespread practice. Even worse, because passwords must be changed so often, IT managers use the shortest passwords their regulators will let them squeak buy with: eight characters.

“For these reasons, researchers from Microsoft, Cambridge University among other institutions have concluded that password aging is a massive waste of time,” Jaquith explained. “It’s far better to require comparatively longer passwords that never change, such as passphrases or mnemonic passwords. Although employees will face a slightly longer learning curve initially, once they commit them to memory, they become reflexes. The best part: long passphrases can’t be broken as easily, so you’ve increased security and productivity at the same time.”

Another tip is to use LDAP, active directory and single sign-on to reduce the passwords employees need to remember. It’s easier for employees, and organizations can centrally enforce your password policies, and suspend access to applications and infrastructure much more quickly.

“As with password length and aging considerations, the employee’s ability to remember their passwords is a strong predictor of how likely (or unlikely) they will be to behave in ways that are less secure,” Jaquith noted. “The fewer passwords they have to remember, the less likely they are to make mistakes or game the system.”

Another idea is to simply create – and commit to – a long, complex, crazy password from Day 1.

“I did not change my LinkedIn password until more than two weeks after LinkedIn disclosed that its password database had been hacked,” Jaquith said. That’s because he uses a password vault to generate unique, long and complex passwords for every website he joins or logs into. “

As a result, none of my website passwords are shared,” he said. “They are all unique. And they can’t be easily brute-forced. Some of my passwords are 36 characters long. If you follow a strategy like this as well, when the next big website gets knocked over, you won’t have to care either.”

In Twitter’s case, the emails to subscribers actually look like a phishing scheme, but Twitter told Mashable that users should heed them. “In instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users,” the company said.

What’s hot on Infosecurity Magazine?