How to pick a new password, now that Twitter wants one

May 4, 2018 by Anick Jesdanun
How to pick a new password, now that Twitter wants one
This April 26, 2017, file photo shows the Twitter icon on a mobile phone, in Philadelphia. Twitter says it discovered a bug that stored passwords in an internal log in an unprotected form. Though Twitter says there's no indication of any breach or misuse of passwords, the company is recommending a change as a precaution (AP Photo/Matt Rourke, File)

Yet another service is asking you to change your password.

Twitter said Thursday it discovered a bug that stored in an internal log in plain text, without the usual encryption. Though Twitter says there's no indication that anyone has stolen or misused those passwords, the company is recommending a change as a precaution.

Here are some tips on coming up with a new password and safeguarding your account—even if your password is compromised.

___

COMPLEXITY COUNTS

Don't even think of using "password" as your password. Picking any common word as your password should be avoided because it's easily guessed using software that tries out every word in the dictionary.

However, you can get a good password by combining two or more words, such as "rocketcalendar." Sprinkle in some numerals and punctuation marks, and make some of those letters in caps, and you've got a strong password. So "rocketcalendar" becomes "rocket44!calendaR." (But don't use that one; the fact that it's in this article means hackers probably already have it in their databases.)

Some services will even require your passwords to have certain characteristics. As you type a new password on Twitter, the will tell you whether it's "Too Obvious" or "Weak." Go for "Very Strong."

___

KEEP PASSWORDS FRESH

Each service should have its own password. If you use "rocket44!calendaR" on Twitter, don't use it on Facebook. Once hackers get your password on one service, they'll try it on other services, too. Outsmart them by using a fresh password each time. It can be as simple as adding the first three letters of the service's name, so Twitter gets "rocket44!calendaRtwi" and Facebook gets "rocket44!calendaRfac."

You can turn to a password-manager service to help you keep track of various passwords, though make sure the one you use hasn't had its own security problems . If you're storing passwords in a spreadsheet or other document on your computer, be sure to protect it with its own password (Microsoft Office lets you encrypt files). Avoid naming the file "passwords." Call it "badmovies" or something innocuous.

___

RESET AND REFRESH

Some security experts recommend that you change your passwords frequently, though treat that advice with caution. When there's a breach, it doesn't matter whether that password is two weeks or two years old. And if you change passwords too often, you risk forgetting them and falling back on simpler, less-secure passwords.

___

A BETTER SAFEGUARD

You can ignore much of this advice if you just do one thing: Turn on two-factor authentication, which Twitter calls "login verification." You'll get a text with a code each time you try to log in from a new device or web browser. So even if hackers get your password, they can't do much unless they have your phone—or some other way to intercept the code.

Of course, this makes it even more important to protect your phone with a passcode, so that no else can get these texts if your phone is lost or stolen.

Explore further: Hackers break into centralized password manager OneLogin

Related Stories

Poll: Younger Americans less apt to use unique passwords

April 25, 2018

The number of online accounts compromised by hackers is now in the trillions—enough, perhaps, to make even technophobes think hard about the security of their passwords. Indeed, many are—especially older Americans, a ...

How to create a cyber secure home

October 5, 2017

As technology becomes more important in our personal lives, so does securing it. Here are some fundamental steps you should always take to help protect yourself and your family.

Recommended for you

Multiple stellar populations detected in the cluster Hodge 6

February 18, 2019

Using ESO's Very Large Telescope (VLT), astronomers have found that the cluster Hodge 6 hosts multiple stellar populations. The detection could provide important hints on the formation and evolution of Hodge 6 and star clusters ...

Predicting sequence from structure

February 18, 2019

One way to probe intricate biological systems is to block their components from interacting and see what happens. This method allows researchers to better understand cellular processes and functions, augmenting everyday laboratory ...

Energetic particles can bombard exoplanets

February 18, 2019

TRAPPIST-1 is a system of seven Earth-sized worlds orbiting an ultra-cool dwarf star about 120 light-years away. The star, and hence its system of planets, is thought to be between five-to-ten billion years old, up to twice ...

Meteorite source in asteroid belt not a single debris field

February 17, 2019

A new study published online in Meteoritics and Planetary Science finds that our most common meteorites, those known as L chondrites, come from at least two different debris fields in the asteroid belt. The belt contains ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

eachus
not rated yet Jun 05, 2018
Just for the record, if you have any say in a website's password system. Too many rules, make passwords harder to remember, and easier to brute force attack. A rule requiring eight characters is relatively harmless. But a rule saying that a password must contain at least one uppercase, one lowercase letter, and a punctuation mark from a limited set? Probably enough to make brute force practical--and a brute force attack that generates more probable passwords first might be even easier.

What should you do? Allow any graphic character. Limiting to the 192 printable characters in Latin1* is probably okay from anywhere except Eastern Asia. The next step up is to permit Unicode, especially if your website is set to use it. Require any eight Unicode characters, and provide advice on how strong a password is. That will make brute force on your site hopeless. Yes, there are lots of other attacks to worry about, but not in this memo.

* Any LatinN character set will work.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.