• Twitter bug exposed passwords in an internal log, change password recommended
    30 replies, posted
im not a cybersecurity expert but how does something like this "accidentally" happen should be using 2FA but with all the shite that's been happening lately i really dont trust them with my phone number
oh no garry made us log in with other sites now our passwords are fucked again
That or "no one will ever look in here/see this". Whoops.
Better yet: delete your twitter altogether. It's just as awful as facebook when it comes to privacy.
To be fair. I've worked with error logging frameworks where the whole http request would be logged in the event of an issue by default. You had to add rules to blacklist data or disable that feature.
Yeah this is unfortunately an incredibly believable thing to happen if you aren't doing your due diligence, which is super easy to do.
Twitter infringes your privacy just about as much facepunch does. Or any forum. It's 2 boxes where you either start saying some dumb shit, or reply to some other dumb shit.
Literally just don't link your real identity to info you post online that you want to be "private".
how will i log into facepunch if i delete both
No, Twitter implement significant user tracking and data collection, facepunch for the most part doesn't.
Of course, due to garry's choices, if you want to actually use facepunch you need to use a service that does those things.
You'd have to be really naive to actually believe this.
That isn't a problem in itself, you can just register an account and not use it for anything else other than logging in to facepunch.
It's not as hard as you think to securely store passwords. Use https so they're encrypted while being sent by the client to the server. Generate a random salt for the password (this can be stored). Add the salt to the password and hash it using a modern algo. Don't store or log the unhashed password anywhere ever; only store the hash. Tada. Even if a hacker manages to gain access to the unencrypted database, he hasn't really gained anything useful. If you want to go the extra mile, pepper the password as well.
Fair enough, though given the multitude of examples of large companies fucking such things up, I'd honestly sooner trust Garry
I'd wager this happens in practice a lot more frequently and these are just some of the few cases where a company publicly owns up to it.
Look forward to a future where passwords aren't used and instead - a biometric scan such as fingerprint - only accessable via smartphone or keyboards which will all feature them in the future.
Afaik most password breaches come from smaller sources and are usually not noticed. The forum being on its own software now probably makes that risk smaller, but it's using services that are still potential attack vectors.
Fingerprints are significantly less secure than strong passwords. Consumer-grade biometrics are a joke for security.
fingerprints are stronger than no passwords
...yes? Of course a small amount of shit security is better than nothing?
So, your fingerprint gets compromised once and every account you've created is now wide open? Sounds like poor security to me.
A fingerprint scan, for the purposes of encrypting and storing it, isn't really all that much different from handling normal ass passwords, it more or less just gets treated like arbitrary data. You don't really gain an awful lot of extra security, and as Matoking already mentioned, you only really got one set of fingers. Not to mention that you can be very easily made to unvoluntarily give up your password by force. Traditional passwords are pretty much about as good as they can get if they are properly done, the only other thing I could think of as an alternative is using public key cryptography as an authentication method, but I'm not suuuper educated about that topic, so maybe there's some obvious reason why we are'nt using that yet, because it could easily get rid of having to trust companies with keeping your password secure.
I’m in an IT security class so this will be fun to bring up next class. Making sure you don’t log sensitive data is security basics 101
the problem with the public key cryptography is securing your private key iirc
HTTPS has supported client-based private key authentication with websites for a long, long time. It turns out it's just not consumer friendly at all, and in general 2FA is just all around better "authentication upgrade" for the average user given proliferation of smart phones.
Sorry, you need to Log In to post a reply to this thread.