In what's become a common headline of late, yet another incredibly popular web destination has admitted it's been compromised. This time, it's our favorite 140 word limited blog - Twitter.
On their blog posted this past Friday, the Tweeps had this advice to their users:
"Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet. Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.
Additionally - if you were one of the compromised accounts, Twitter has already reset your passwords and has sent out notifications for you to choose a new one before logging back in. As you can see in the quote above, the advice is for everyone, even those unaffected. We agree and recommend you give your passwords a once over to make sure you're not potentially compromised.
This echos our past posts about the LinkedIn password leak, as well as the Yahoo breach, and the advice is generally the same. Complex long passwords, with various characters, capitalization, numbers, etc, and unique passwords for each site. You could also go the slightly more technical route, and try out some of the services available like 1Password or LastPass that store multiple passwords behind a single complex passphrase.
For a more in-depth look at passwords, and how our Metasploit team can help you with auditing, check out David Maloney's Webcast; - Don't Pick the Lock, Steal the Key - Password Auditing With Metasploit