Twitter’s password bug…when are we really going to learn?

by Perry Chaffee, on Wed 16 May 2018

I’ve always said repeating the same mistake over and over while expecting different results each time is the definition of insanity; if you always do what you've done, you'll always get what you've always got.

Yet, why do top global companies still do what they’ve always done and expect different results?

At a company where an insider (who was once a “trusted administrator” – aka an oxymoron) can take over the account of the U.S. president and send out tweets which could impact stock values for companies like Amazon, changing your password is not enough. Yes, I’m alluding to Twitter and the recent password bug, which led to passwords temporarily being stored in plain text – rather than disguised as random letters and number in an algorithm.

Twitter (and other companies) might like to call this mistake a glitch and externalize the impact by telling users to update their passwords, but this merely allows companies like Twitter to shirk their responsibility to fix the root of the problem.

These platforms should be eliminating passwords, the leading cause of data breaches and identity theft, by replacing them with right-factor authentication and implementing features like client-side encryption, which offers zero-knowledge capabilities for users and can stop insiders from abusing their power.

For example, Edward Snowden was deemed trustworthy after undergoing extensive security clearance background investigations (which on average can cost about $15,000) and then worked in highly controlled facilities. Despite this, he was still able to steal and leak information which is, relatively speaking, infinitely more sensitive than any "private" data the average person "possesses." You can assume the average company doesn't even partake in $15,000 background investigations on new hires. They might trust their admin right now, but only because they haven't discovered a reason not to.

Trust, in this sense, shouldn't be necessary. Technology should be designed to eliminate this need for trust, to completely prevent opportunity for insider abuse. Any website or service you are using which isn't a zero-knowledge system has the risk of being abused to hurt you.

Companies might say that they have a zero-tolerance policy toward this kind of behavior, but they can't stop what they don't know about and apologizing for things which should never have happened doesn't undo them.

Using features like client-side encryption and right-factor authentication eliminates the need to trust organizations like Facebook or Twitter to police themselves, prevent insider abuse, etc. If they chose to offer zero-knowledge capability, these organizations wouldn't have access to user data in any way that could potentially compromise their users. Additionally, Facebook, Twitter, Google and others have based core elements of their revenue model on harvesting as much of our "private" data as possible and basically selling it to unknown third parties.

It’s irresponsible for companies like Twitter to continue to say they’ll protect their users’ accounts with the illusion of security that passwords provide, insane to think that password changes or stronger passwords are the solution, and totally dishonest to pretend end users aren't the deliberate victims of terrible business decisions.

So, when will Twitter and these other companies learn? Maybe in the next “glitch” or breach that comes their way.

In the meantime, learn how you can do right by your customers and move beyond usernames and passwords to better methods of authentication in this e-book, “Passwords: The real threat to your security.”