NEWS FROM THE LAB - Tuesday, May 7, 2013

Twitter's Password Fails Posted by Sean @ 12:51 GMT

Let's say you want to hack Jack Dorsey's online banking account. Where to start? His username?

Challenging… his online banking username is a secret. But how about his Twitter account?

Oh, that's easy. It's @jack.

That's the problem with "social" usernames — they're meant to be known.

Twitter's Password Fails

Another problem, Twitter appears to validate e-mail addresses:

Twitter's Password Fails

Looks like nobody's home at jackd@twitter.com:

Twitter's Password Fails

Twitter's settings include an option to require "personal" infomation such as an e-mail or phone number:

Twitter's Password Fails

But that's less than useless if Twitter won't actually let you add your number:

Twitter's Password Fails

And just how "personal" is a phone number anyway?

Twitter's Password Fails

Two-factor authentication?


But Twitter should first stop validating e-mail addresses.

And then maybe it could add an option to disallow logins via the publicly known username.

Edited to add: On second thought…

How about this?

Twitter should stop validating e-mailing addresses in its password reset form.

And then, discriminate between using e-mail and username. If an account is accessed with the usernamedon't provide access to the account settings! The e-mail address (alias) could then be used only by account "adminstrators".

Example: regular @AP staff could login with "AP" — no settings for them! They could Tweet, but would be restricted from making changes to the account. But the @AP "admin", some guy in the IT department, that person could login using the "secret" e-mail address and would be able to change account settings (and lockdown the account in case of a breach).

Discriminating between e-mail and username — a way to distinguish between "admins" and "users".