• Twitter bug exposed passwords in an internal log, change password recommended
    30 replies, posted
https://twitter.com/TwitterSupport/status/992132808192634881
im not a cybersecurity expert but how does something like this "accidentally" happen should be using 2FA but with all the shite that's been happening lately i really dont trust them with my phone number
oh no garry made us log in with other sites now our passwords are fucked again
I can think of a dozen ways this could accidentally happen. The most obvious one is where a developer logged all account information on registration or login and made the false assumption that the password wouldn't be in the data logged. Either way their testing of this logging function was insufficient or non-existent
That or "no one will ever look in here/see this". Whoops.
Better yet: delete your twitter altogether. It's just as awful as facebook when it comes to privacy.
To be fair. I've worked with error logging frameworks where the whole http request would be logged in the event of an issue by default. You had to add rules to blacklist data or disable that feature.
Yeah this is unfortunately an incredibly believable thing to happen if you aren't doing your due diligence, which is super easy to do.
Twitter infringes your privacy just about as much facepunch does. Or any forum. It's 2 boxes where you either start saying some dumb shit, or reply to some other dumb shit.
Literally just don't link your real identity to info you post online that you want to be "private".
how will i log into facepunch if i delete both
No, Twitter implement significant user tracking and data collection, facepunch for the most part doesn't.
Of course, due to garry's choices, if you want to actually use facepunch you need to use a service that does those things.
You'd have to be really naive to actually believe this.
That isn't a problem in itself, you can just register an account and not use it for anything else other than logging in to facepunch.
I'd trust a service like Twitter, Facebook or Google before I trust garry to do anything regarding to security. Which I can motivate by the fact that those services hire more than a dozen engineers trained to make authentication secure. Although as shown now, every human makes mistakes, no matter how skilled.
It's not as hard as you think to securely store passwords. Use https so they're encrypted while being sent by the client to the server. Generate a random salt for the password (this can be stored). Add the salt to the password and hash it using a modern algo. Don't store or log the unhashed password anywhere ever; only store the hash. Tada. Even if a hacker manages to gain access to the unencrypted database, he hasn't really gained anything useful. If you want to go the extra mile, pepper the password as well.
I'm sorry i wasnt clear enough, let me elaborate : I trust Twitter, Google and Facebook more to have proper procedures and testing streets in place to prevent mistakes like logging in plain text happening. As a software developer I know that in theory security is not a hard thing. As a software developer I also know that people make mistakes, a lot, and that if everyone were to do their job perfectly we wouldn't need pen testing
Fair enough, though given the multitude of examples of large companies fucking such things up, I'd honestly sooner trust Garry
No problem man and to extend to that the fact garry runs a relatively smaller company and therefor is a smaller target mostly counters my initial thought. To further the discussion a bit though, since you posted a list on what to do safely with passwords shows a missing item, which imo illustrates the ease of which mistakes are made. If by following all your rules I send a login form by a GET request..... You see where I'm going with this.
I'd wager this happens in practice a lot more frequently and these are just some of the few cases where a company publicly owns up to it.
Look forward to a future where passwords aren't used and instead - a biometric scan such as fingerprint - only accessable via smartphone or keyboards which will all feature them in the future.
Afaik most password breaches come from smaller sources and are usually not noticed. The forum being on its own software now probably makes that risk smaller, but it's using services that are still potential attack vectors.
Fingerprints are significantly less secure than strong passwords. Consumer-grade biometrics are a joke for security.
fingerprints are stronger than no passwords
...yes? Of course a small amount of shit security is better than nothing?
So, your fingerprint gets compromised once and every account you've created is now wide open? Sounds like poor security to me.
A fingerprint scan, for the purposes of encrypting and storing it, isn't really all that much different from handling normal ass passwords, it more or less just gets treated like arbitrary data. You don't really gain an awful lot of extra security, and as Matoking already mentioned, you only really got one set of fingers. Not to mention that you can be very easily made to unvoluntarily give up your password by force. Traditional passwords are pretty much about as good as they can get if they are properly done, the only other thing I could think of as an alternative is using public key cryptography as an authentication method, but I'm not suuuper educated about that topic, so maybe there's some obvious reason why we are'nt using that yet, because it could easily get rid of having to trust companies with keeping your password secure.
I’m in an IT security class so this will be fun to bring up next class. Making sure you don’t log sensitive data is security basics 101
the problem with the public key cryptography is securing your private key iirc
Sorry, you need to Log In to post a reply to this thread.