Twitter Orders Politicians, Journalists To Fortify Passwords Before Election

Twitter will require certain political candidates, elected officials and journalists to beef up their passwords, the company said Thursday, in an effort to head off any more breaches of high-profile accounts as the 2020 election draws near. From a report: The change comes two months after an embarrassing cyberattack in which hackers exploited Twitter employees' credentials to wrest control of dozens of accounts, including those of former President Barack Obama, Democratic presidential nominee Joe Biden and Microsoft founder Bill Gates. The steps announced Thursday would not have prevented that hack but could foil less sophisticated exploits. Accounts deemed to have weak passwords will be compelled to make them stronger, and those users must now verify their phone number or email address before making password changes. The social media company will also encourage, but not force, high-profile users to implement two-factor authentication, a security measure that requires them to input a unique code in addition to their password.

Rules....

[Rockoon]

Your password must contain 75 upper case letters, 75 lower case letters, 25 symbols from this set of 4 symbols, and 25 digits.

Re:

[LenKagetsu]

Two-factor authentication tied to an email that nobody would even think about being linked to them. 2FA not only adds a bouncer behind the door but alerts you to someone accessing the account. Gmail in particular cannot be logged into without you knowing.

Re:

[bazmail]

That would be a support nightmare. If you make TFA mandatory, your service usage will drop dramatically and people will get pissed off. If you make it optional then only the people who already have good passwords (nerds) will use it.

Re:

[LenKagetsu]

Tough shit?

Re:

[DontBeAMoran]

If you don't eat enough fiber? Absolutely.

Re:

[WankerWeasel]

They already require 2FA for all verified accounts (though ones that haven't changed their password since that was implemented 2 years ago still can use it without enabling 2FA).

Re:

[Rockoon]

Two-factor authentication tied to an email that nobody would even think about being linked to them.

Thats not two factor. Every major implementation of "two factor" that I have seen, isnt at all "two factor."

SOMETHING YOU HAVE
SOMETHING YOU KNOW

Email addresses are the same as passwords, something you know.

Re:

[PCM2]

You're forgetting SOMETHING YOU ARE, i.e. biometrics.

Re:

[DontBeAMoran]

You're forgetting FOR EVERYTHING ELSE, i.e. there's MasterCard.

Re:

[Average]

Twitter does support (rather poorly, but they do) FIDO U2F, which is about the most SOMETHING YOU HAVE remote factor we have out there for general internet use. Don't know if you'd consider it major, but there are quite a few people carrying U2F devices now.

Is an SMS to a mobile number "something you have?"

[nategasser]

Is an SMS to a mobile number "something you have?" If you have an iPhone you can pick up your texts by logging into your account on a Mac or on an iPad, but I'd suspect the vast majority of people don't do that, so it's..... pretty close... to being a "something you have."

Re:

[DontBeAMoran]

Let me simplify your complex rule, because nobody will remember it:
"Your password must contain 75 upper case letters, 50 lower case letters, 25 digits and 12.5 emojis."

Why?

[bazmail]

The hacks are never brute force password attacks. They are greedy employees doing an inside job.

Twitter Orders Politicians...

[grep -v '.*' *]

Yeah, THERE's a good group of people who'll listen to others.

I've got a highly secured password. I changed it from: 1-2-3-4-5 to 1-2-3-4-6, but that was hard to remember so I changed it back. Anyway, twice secure is better than once secure, right?

And journalists? NIH, therefore this topic doesn't exist and is fake news and is only a one-time thing anyway. But more to the point: "Asteroid 'bigger than London Bridge' set to collide with Earth's orbit next week."

Ummmm ... uhh .... yeaaaah. Litera

Re:

[bazmail]

I've got a highly secured password. I changed it from: 1-2-3-4-5 to 1-2-3-4-6

Could be worse, you could be this guy https://arstechnica.com/inform... [arstechnica.com]

Obligatory politician password joke

[Krishnoid]

I'll just leave this here [youtu.be]. You can make this stuff up, but it sounds absurd until it actually happens.

And

[Vinegar Joe]

If twitter disagrees with what you say, they will cancel you.

How does "famous people Twitter" work now?

[ErichTheRed]

I assume there must be a big difference from a normal person's Twitter account and someone's who can cause a lot of damage if compromised. Is it at least 2FA or is there another factor or two? How does Trump instantly tweet at 2:30 AM in bed in the White House? I assume he's like every other celebrity or famous person and basically has no concept of IT security. Do they give these sorts of people handlers? I highly doubt your average CEO or celebrity is logging into their own Twitter account. And for those

Twitter Orders!!

[oldgraybeard]

wow! who put them in charge?

Re:

[DontBeAMoran]

They are in charge of Twitter, so... yeah. If you're used to military command structure, I guess you could call them "Major Twits".

ridiculous

[LinuxFreakus]

Hahah... this must be some sort of funny funny joke... considering the latest attacks and breaches of dozens of high profile accounts were because of admin tools which were compromise. Way to reflect blame, lol. I still find it hard to imagine they were so dumb with their admin tools... but it happens over and over at tech companies, so I guess I should never be surprised. I'm sure there will always be some who had poor passwords, but this is pretty ridiculous.

Re:

[Aristos Mazer]

This seems necessary because they were careless with the admin tools.

Re:

[LinuxFreakus]

You think they were so dumb that they even had clear text passwords stored? I dunno. I know they had ability to login as anyone... regardless of two factor, etc... but not sure the stupidity extended that far.

Re:

[Rockoon]

I know they had ability to login as anyone... regardless of two factor

Twitter does not do two factor.

Re:

[LinuxFreakus]

https://help.twitter.com/en/ma... [twitter.com]

Re:

[Aristos Mazer]

If they had the ability to impersonate anyone, who knows how far social engineering went. "Hey, X. This is Y. I forgot my password. Can I borrow yours?" Dumb stunts like that are known to work on some people, especially if it comes from someone they know.

Convient way to suppress?

[Ungrounded Lightning]

Twitter will require certain political candidates, elected officials and journalists to beef up their passwords, the company said Thursday, in an effort to head off any more breaches of high-profile accounts as the 2020 election draws near.

And if they don't "beef up their passwords", will the account be disabled as the election date approaches? How convenient.

I notice that it's some "certain" subset of the candidates. I wonder what that subset is, and if those included tend to be of a different political

Obligatory dilbert

[UnixUnix]

https://www.itamer.com/images/... [itamer.com]