May 15, 2018
Whether you use Twitter or not, you are likely to have heard about their password encryption issues that hit the news recently. Twitter recommended 300 million users change their passwords for the major social network site due to an internal error. But what is password encryption and why is it so important?
Password encryption is a way for services to store your data in a secure and confidential manner. Services could store your password in plaintext, and then when you type in your password, check it against the plaintext they store for a match. But it’s not very secure. It means your password is available to view by people who work at the company and by those who potentially breach its defenses.
Instead, services use encryption and a process called hashing. Your password is put through an algorithm, bcrypt in Twitter’s case, which transforms your password into a string of letters and numbers. It’s this new hashed password that is stored by Twitter and other services, not your plaintext password.
So ‘ILoveNY’ becomes ‘GJD45£7MD67GDE’ (or something like that). When you log into the service, you type your password in and it goes through the same encryption algorithm. Only then is it checked against the database for a match, and if entered correctly, you are logged in.
This is an industry standard way of improving password log-in security. When passwords are stored in plaintext, the risk of breaches is far higher and put bluntly, you shouldn’t use any service that doesn’t encrypt passwords.
When password encryption is done properly, the service you’re using should never see a plaintext copy of your password. That’s where the Twitter issue lay. A bug was causing a plaintext version of passwords to be logged before the encryption process was finishing.
Thankfully, there is no evidence that any harm has been caused by this error, for Twitter themselves discovered the error, reported the incident to authorities, corrected the problem, and then informed customers on a decent timeframe. It can sometimes be better in cases like this to fix the problem before revealing it to customers. A public announcement when the issue was first found might have only alerted hackers to the vulnerability and invited attacks.
The only danger is that the passwords were potentially available to insiders at Twitter for a period of time. Hence why Twitter has taken the step of recommending password changes for all users. It’s possible someone at the company who had access to the plaintext, who has no ill intentions now, might in the future. You simply never know. So even though no breach took place and the internal error was fixed, Twitter made the right decision to go public with the issue and recommend password changes.
Here at Global Data Sentinel we use only the best AES 256-bit encryption in our solutions. To us, encryption can be, and should be, used for far more than just passwords. Our secure ecosystem is built on the idea of providing that same high level of encryption to every piece of data and every file on your system. We leave nothing in plaintext, nothing open to attack, and therefore nothing to chance.
Our security ecosystem puts organizations back in control of their data and allows for complete access control to every file. Only approved users with the encryption keys can access your highly protected data. Find out more about how encryption can do a lot more than just protect your Twitter passwords – it can protect your entire organization.
Your key and files are encrypted on your device before they are ever sent to, or stored with us. We can’t even access your key or files.
May 20, 2015