Twitter’s CTO announced in a blog post yesterday that the company discovered a bug in the way their system was handling users' passwords which resulted in all 330 million passwords being stored in plaintext.
Before we get into what this means, it’s important to note two things:
- According to Twitter there is no evidence indicating unauthorized access of these passwords. The blog post states: "We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone."
- Despite this assurance, Twitter is suggesting all users change their passwords "out of an abundance of caution." Needless to say we @_NuID strongly recommend the same.
The blog post goes on to explain that although Twitter uses an industry best-practice hashing algorithm to secure and store passwords, the bug caused plaintext, or unhashed, passwords to be stored in a separate file before they were hashed and stored in the password database. This left millions of passwords unprotected and vulnerable to compromise.
The announcement is a reminder that even companies with top security practices (not everyone uses a strong hashing algorithm, or even hashes passwords at all!) are susceptible to the structural vulnerabilities of centralized authentication. When companies centrally manage and store millions of passwords they create a valuable target for attackers with a single point of failure.
Unfortunately, centralization is still a problem even when there isn’t a bug in the hashing process. Criminals routinely target hashed password databases and employ sophisticated cracking tools to uncover the plaintext passwords. While hashing may slow down an attacker’s ability to use stolen passwords, it doesn’t address the problem of storing all those private credentials in one place.
Decentralized authentication solves this problem by eliminating the need for businesses to store passwords or other private authentication data. Using a cryptographic method known as zero knowledge proofs, NuID enables users to prove they know their passwords without revealing them to the verifying server. Passwords are never sent to the company’s servers and no authentication data useful to an attacker is stored anywhere.
This model protects the privacy of users by giving them ownership over their login credentials and removes the risks businesses face of encountering a security weakness like the one Twitter announced yesterday, or even worse suffering one of the over 1,500 data breaches per year.
Although it’s easy to blame companies like Twitter every time there’s a password-related incident, the problem lies less with individual companies and more with the architectural vulnerabilities of centralized authentication. Ending large-scale password breaches will require a new model of authentication and data ownership.