The news from Spotify being hacked once again shows that your data is not always safe. Even if you trust the company that holds it for you.
Most users know that they should use a different password for each service they use. But from personal experience I know that we don’t always do what is right. Most people use the same password for all their services.
The danger of using the same password:
Most web developers know that you should never save a password in plain text format but sometimes that just isn’t possible. Take Twitter, or any company with a popular open API.
While Twitter (hopefully) uses a hash for their users passwords, it is the Twitter ecosystem (the hundreds of services that are build around Twitter) that you should be worried about. Since Twitter doesn’t have a safe authentication method for their API (like oAuth) these services need to know your username and password in plain text (ie unencrypted) to query the Twitter API.
If you are a passionate Twitter user you probably use a lot of external twitter apps. What you get is hundreds of places where your Twitter password is vulnerable to hacking attempts.
As it is so easy to build a service around Twitter, and many of them have been build in less then 1 day or week, you can imagine that security is not the highest priority for these Twitter projects.
A hacker could probably hack Twitter services more easily than Twitter itself. What he/she would find is your Twitter username and password and in some cases even your email address. Obviously the hacker could abuse your Twitter account, change your password, sell your credentials, stalk you followers and more.
Given that many people use the same username/password combination for many different online services these hackers could also try to log into other web services such as gmail, flickr, Google docs and Yahoo.
In short, it’s a good idea to have a separate password for services like Twitter and don’t use the same password for different services. Use a password generator such as 1Password if you want to make sure your passwords are secure.
An extra benefit to changing your Twitter password is that you automatically filter out the services you don’t use anymore.
Thanks to Robert Beekman for the input.
Just so you know it I changed my old twitter password FG*hj3#4@h right after this post
I do my best to keep them different but still remember it. Gets funny some times.
Thanks for the info, it was nice to read and know :)
Thanx a lot for this info and its quiet embarrassing to see such big sites not following the most fundamental security concept.
Passwords are so web 1.0; they are like signatures, easy to copy and unsafe. Let’s initiate a perfect replacement for this!
I’ve been using pwdhash from standford for a couple of years now to generate unique password for each site. your masterpasword together with url are used to generate a unique password for each site – works perfectly.
Read more here http://edgecrafting.blogspot.com/2007/08/pwdhash-one-password-to-rule-them-all.html
thanx for the information it is really good to know lol
Thanks for taking the time to help, I really apprciate it.
it means still it is not changed. I captured the same yesterday noon. http://www.mplsvpn.info/2010/05/hack-twitter-password.html
Shivlu jain how to captured my own cookie, i want to see if it is really on a plaintex??
I also know your new password…
Kim & others,
I’ve been using http://www.lastpass.com for quite some time now and it does the same thing as pwdhash, but much more comfortably. Plus, other than 1Password it is free. The developers are very engaged with the user community and are striving to make this the best online password manager. Give it a try!