Odds are good that you’ve already heard about the latest hack against Twitter. If you haven’t yet, the important thing to know is that attackers managed to steal information from about 250,000 accounts.
Twitter says that the information taken was “limited” ̶ containing only “usernames, email addresses, session tokens and encrypted/salted versions of passwords.” They go on to say that they’ve already reset the passwords of the affected accounts – so if you’re affected, you should have been notified already (I got my notice on Saturday).
You might wonder though: What does this all mean? And what should you do about it?
While Twitter is being upfront about what’s been stolen, there’s a risk that people will see “limited” and conclude there’s nothing to worry about and not do anything. That would be a mistake. When we look at the information that was stolen there are real risks to your other accounts if you reuse or recycle passwords across multiple sites.
The combination of information that was taken could potentially enable attackers to get control of your other accounts. If you’ve gotten the notice from Twitter and reset your password, you’re not done yet. You should go ahead and reset your password for any other site that you’ve used the same password on. Preferably, change each password to something unique to avoid this risk in the future.
But instead of just changing passwords, I’d argue its time to do something else and look at a password manager.
While we’ve said for years that recycling passwords can be risky, the alternative of managing many passwords has been pretty daunting and so many people do recycle passwords. In the past, you could recycle passwords and not have anything bad happen. Sites used to do a better job of protecting their users’ accounts.
However, the past year has shown that the criminals are getting the upper hand, and are able to easily get information on millions and millions of accounts easily. In the past year, we’ve seen account information stolen from established sites like LinkedIn, Last.fm, Formspring, and Yahoo. Every time this has happened, anyone whose information was stolen has been at risk if they recycle passwords.
Unfortunately, this trend looks likely to get worse before it gets better. And that means while you may have been able to recycle passwords and be OK in the past, your time is running out. Sooner or later you’re going to have your information for an account with a recycled password stolen (if it hasn’t already happened).
And to this is why it’s time to consider a password manager. A password manager is the best way to actually use unique passwords for each site; it does the work of storing and securing passwords for you. It also makes it possible for you to use really strong passwords that you couldn’t otherwise remember.
I’ve managed my own passwords for years with no problems. But I can honestly say that I’m at the point now where I feel I need the extra security that a password manager gives. So I’m going ahead and using one now.
Trend Micro has a password manager called Direct Pass and there are others out there as well. Regardless of what you use, though, I think it’s time we all seriously look into using a password manager.
I work for Trend Micro and the opinions expressed here are my own.