Twitter’s password security is an utter farce and the experts agree

The Twitter password leak has taken the online world by storm, with users everywhere encouraged to change their passwords as a matter of importance. But just what is the social media giant doing to help prevent such glitches in the future? News and Features Editor James Laird has discovered one particularly alarming Twitter password security flaw – and asked the experts what they thought about it.

I woke up this morning to a Slack message.

This isn’t exactly out of the ordinary, but unlike most internal communications, this one actually suggested a right-minded action: change your Twitter password now.

From a corporate sense, I obviously leapt into action, fearful of what the internet’s ne’er-do-well community would do if it got its hand on a Twitter account known for sharing iPhone X photos and vaguely amusing pop culture GIFs.

Our reputation for tweeting product shots of a reasonable quality protected, I then decided to take a look at my own Twitter account.

What I found genuinely startled me.

My password was, in a former life, pretty damn basic: ‘jameslovesmangoes’. Wary of the state of online security in 2018 and knowing I’m almost certainly being targeted by the Russians for my fair-to-middling scribing influence, I made a decision: I was going to change my Twitter password.

This codeword, I assumed, was only still being accepted because I signed up for Twitter many moons ago. The new Twitter – the Twitter of 2018 – would surely require a more complex phrase that combined numbers and letters, in line with the recommendations of pretty much any password security tutorial you’re like to read.

But not so.

‘Jameslovesmangoes’ was cool. ‘Jameslovesaubergines’ was also au faire. As was ‘trustedtwitter’ – in fact, ‘trustedreviewstwitter’ was deemed ‘Very Strong’. These were all experiments, but…seriously?

Alarmed, I sought the advice of some security experts to help explain just why Twitter was being so blasé with its built-in password strength checker.

Related: How to delete Facebook

Here’s what Raj Samani, Chief Scientist and Fellow at McAfee, told Trusted Reviews:

“James loves mangoes ? I feel the same to be honest, but I haven’t used that in a password. What we determine to be strong or not should be based on context. This should be based on the value of the service (or the impact should something go wrong). Take your password or rather your old password, for certain applications, it will probably suffice, whereas for others it would not be strong enough.

“I think for a social media platform something like ‘jameslovesmangoes’ would be inadequate. Following simple tips on creating strong passwords should be adopted, rather than relying on password strength checkers.”

David Emm Principal Security Researcher at Kaspersky Lab, agreed that Twitter’s safeguards were likely inadequate in their current form.

“I’m sceptical about using password strength tools. When looking at it from the perspective of a consumer, I’d be wary of having to enter my password in multiple sources, as essentially its putting your password at risk from cybercriminals,” he told Trusted Reviews.

So, as well as changing your Twitter password as a matter of importance – if the irony escaped you, the gaffe came on World Password Day 2018 – you should also be asking more of the services that claim to

We’ve seen it with Ashley Madison. And Facebook. And Xbox.

Not necessarily in that order, but you get the idea.

How long will it take for big tech to realise that online denizens care about more than just the next cute cat meme?

Share your thoughts on Twitter’s security practices with us @TrustedReviews.