How Twitter Made a Hash of Passwords
By Duane Thresher, Ph.D. May 4, 2018
Yesterday it was reported that Twitter user passwords may have been exposed, at least to Twitter employees, which may be a bigger security risk than you think, and any Twitter hackers. The descriptions of the technical aspects of this story in the IT incompetent media have been awful, to say the least. Here is the best description, one boiled down to its understandable essentials, from an actual IT expert.
When you are at your computer or smartphone and want to log in to Twitter you enter your password into the browser or app. (Probably you have your computer or smartphone remember the password for you but that is not important here.)
To allow you to log in, Twitter then has to compare this password with the correct password on file with Twitter. By "on file" I mean in a file on a Twitter hard drive. But if this correct password is on file with Twitter that means Twitter employees, or any Twitter hackers, can read this password, which should not be the case. So how is this prevented?
Nothing to do with the hash tags Twitter uses. Hashing is a method to encrypt the password, but without a password to do this encryption, since otherwise you would still have the same problem, only one level higher.
Hashing changes the relatively-short variable-length password into a long fixed-length unique character string, a hash, such that it is practically impossible to reverse the process and figure out the password from the hash. The same password will always produce the same hash and no other password will produce that hash.
Then the hash, instead of the password itself, can be saved on file at Twitter and no one, not Twitter employee or hacker, can figure out the password.
To see if a user-entered password is correct, Twitter need only hash this user-entered password and compare the resulting hash to the hash on file at Twitter. (And a user, or hacker, can't just enter the hash instead of the password.)
Only if it is implemented correctly. And business, including the media, and government is full of the IT incompetent, including programmers.
First, the user-entered password must be encrypted at the computer or smartphone before it is sent to Twitter so that even if it is intercepted it can not be read. This can be done via secure http, i.e., https.
Once this user-entered password reaches Twitter and is decrypted it must be hashed for comparison to the hash on file. This is where IT incompetent Twitter made a hash of things. (I use Twitter and as someone who has programmed extensively, I can confirm that it is badly programmed in several other ways.)
The password should never be on file. That is the whole point of hashing. It should be hashed while it is in memory (RAM) and then cleared from memory. Apparently though, Twitter instead stupidly kept the password in log files that were not immediately deleted, if ever. That is one of the stupidest mistakes that could be made. Twitter really made a huge hash of things.
Your computer operating system probably keeps a password hash file. In early Microsoft Windows versions the hashing was actually relatively easily reversible and hackers would just steal the hash file and decrypt it at their computers to get the passwords at their leisure. Twitter's mistake was far more stupid than that though.
The implications of Twitter's stupid mistake are huge. Since President Trump uses Twitter a lot, it is a national security risk. Read Trump Using Twitter is a National Security Risk.