Google Apps Twitter Hack Raises Red Flags on Password Security
One might presume that technology companies do a better job with such mundane tasks as password security than the great unwashed masses. However, time and time again, this turns out not to be correct. Yesterday, Twitter co-founder Biz Stone, posting in the company’s blog, revealed that a hacker had broken into an employee’s personal e-mail account and then gained access to that employee’s Google Apps account, which contained “notes, spreadsheets, ideas, financial details” – well, you get the picture.
Although Stone tries to emphasize that this has nothing to do with any vulnerabilities in Google Apps per se, the very fact that anyone can log into a Google Apps account from any browser if you have the correct user name and password does increase a company’s exposure. Companies that keep their confidential information behind a corporate firewall in systems such as Lotus Notes or Microsoft SharePoint, are indeed less vulnerable simply because their systems could not be hacked with just a simple user name and password.
Multiple studies have revealed that close to half of computer users tend to use the same password over and over again – typically with the same, easy to remember, user name. Indeed, TechCrunch, a blog that received Twitter’s confidential documents from the hacker, reported that Twitter uses the password “password” for its servers (presumably, it’s been changed by now). The same article revealed that Twitter had also used a co-founder’s first name, Jack, as a user name for servers.
Moral of the story: use complex passwords with numbers and symbols interspersed. Do not use words found in a dictionary. Even better: use passphrases, i.e. concatenated words such as “thisismypassphrase123″. Use a different user name/password combination for each account. If one account is hacked, this will ensure that your other accounts remain safe. Finally, do not leave passwords visibly written down. Believe it or not, I still see Post-It notes with passwords attached to monitors when visiting other companies.