How Twitter Made a Hash of Passwords
By
Duane Thresher, Ph.D. May 4, 2018
Yesterday it was reported that Twitter user passwords may have
been exposed, at least to Twitter employees, which may be a
bigger security risk than you think, and any Twitter hackers.
The descriptions of the technical aspects of this story in the
IT
incompetent media have been awful, to say the least. Here
is the best description, one boiled down to its understandable
essentials, from an
actual IT
expert.
When you are at your computer or smartphone and want to log in
to Twitter you enter your password into the browser or app.
(Probably you have your computer or smartphone remember the
password for you but that is not important here.)
To allow you to log in, Twitter then has to compare this
password with the correct password on file with Twitter. By
"on file" I mean in a file on a Twitter hard drive. But if
this correct password is on file with Twitter that means
Twitter employees, or any Twitter hackers, can read this
password, which should not be the case. So how is this
prevented?
Hashing.
Nothing to do with the hash tags Twitter uses. Hashing is a
method to encrypt the password, but without a password to do
this encryption, since otherwise you would still have the same
problem, only one level higher.
Hashing changes the relatively-short variable-length password
into a long fixed-length unique character string, a hash, such
that it is practically impossible to reverse the process and
figure out the password from the hash. The same password will
always produce the same hash and no other password will
produce that hash.
Then the hash, instead of the password itself, can be saved on
file at Twitter and no one, not Twitter employee or hacker,
can figure out the password.
To see if a user-entered password is correct, Twitter need
only hash this user-entered password and compare the resulting
hash to the hash on file at Twitter. (And a user, or hacker,
can't just enter the hash instead of the
password.)
Clever, right?
Only if it is implemented correctly. And business, including
the media, and government is full of the IT incompetent,
including programmers.
First, the user-entered password must be encrypted at the
computer or smartphone before it is sent to Twitter so that
even if it is intercepted it can not be read. This can be
done via secure http, i.e., https.
Once this user-entered password reaches Twitter and is
decrypted it must be hashed for comparison to the hash on
file. This is where IT incompetent Twitter made a hash of
things. (I used to use Twitter and as someone who has
programmed extensively, I can confirm that it is badly
programmed in several other ways.)
The password should never be on file. That is the whole point
of hashing. It should be hashed while it is in memory (RAM)
and then cleared from memory. Apparently though, Twitter
instead stupidly kept the password in log files that were not
immediately deleted, if ever. That is one of the stupidest
mistakes that could be made. Twitter really made a huge hash
of things.
Your computer operating system probably keeps a password hash
file. In early Microsoft Windows versions the hashing was
actually relatively easily reversible and hackers would just
steal the hash file and decrypt it at their computers to get
the passwords at their leisure. Twitter's mistake was far
more stupid than that though.
The implications of Twitter's stupid mistake are huge. Since
President Trump uses Twitter a lot, it is a national security
risk. Read
Trump
Using Twitter is a National Security Risk.