Last month, I saw this post on LifeHacker and like the lazy blogger I am, didn’t get around until now to comment on it. The short of it is that because some Twitter users used the same password for multiple sites, an unscrupulous individual was able to use those usernames/passwords collected from a fake BitTorrent web site and use them on Twitter to see if they worked. Unsurprisingly, many username/password combinations worked.
The full explanation from the Twitter Blog:
It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra – security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information. This information was then used to attempt to gain access to third party sites like Twitter.
It’s absolutely critical that people use at least different passwords for each site they visit, especially if the credibility of the site is in question (i.e. if the site was for warez or even for torrents as in this example.) A better practice is to have strong, different password for each site. Sometimes this is hard because each site has a different “rule set” for their passwords. Some site may require at least 2 symbols and 1 capital letter or some variation and things can get complicated and confusing very quickly.
I’m sure you’re thinking, “but Rachel, how am I supposed to remember all those stupid passwords? I’m not a computer!”
And then I say, “no problem, bucko, that’s where password managers come in!”
In an earlier post this week I was detailing a bug I had with 1Password. Well, that’s a password manager!
What’s a password manager?
A password manager is an application or service that uses a master password to encrypt a database of username/password combinations for web sites, services or other applications. On a Mac, it’s like Apple’s Keychain. You type in your password whenever you log in to your Mac and magically all the passwords you saved in that Kkey chain are available to your applications so you don’t need to type them in all the time.
My favorite password manager is 1Password but practically all password managers have similar functionality. Password managers have multiple purposes but I think the best are:
- Ability to create a strong password for different sites. Most password managers have the function to generate a password for you so you don’t have to come up with a strong password on your own.
- Create a password and then never enter it in manually again. Plugins for web browsers like Firefox and Safari make it so easy to click a button, enter your master password, and bang! You’re logged in. You’ll never have to remember an obscure password again. Of course, if you’re nowhere near your password manager and need that obscure password to log on to a site while at a public computer you’re a little screwed unless you have your password database automatically set up to sync with a service like Dropbox (and then you’re all set!)
- A central, encrypted place for all your passwords. “Back in the day…” I remember I used to keep all my usernames/passwords on pieces of paper and up until recently my mother was keeping them on index cards on a Rolodex. If you’re a sloppy pig and don’t know how to organize that stuff, you may end up misplacing that password and then you’re screwed. With