Security Corner

Dec 27 2009   3:36PM GMT

Web 2.0 Security: Watch Those Passwords

Ken Harthun Ken Harthun Profile: Ken Harthun

Far too many people use weak passwords and then use the same weak passwords over and over again on the Web. Using a weak password is bad enough; using it in more than one place is lunacy. The worst place for a weak password is your electronic banking site, of course, but using one any Web 2.0 site can also put your personal information at risk. Let’s take Twitter, for example.

Most people probably wouldn’t think of Twitter as a sensitive site, but recall the previous article about impersonation. Compromise a Twitter password and you can easily pose as the account holder. You could then wreak all manner of havoc on the person’s reputation not only on Twitter, but on every site where the account is linked. Recently, someone managed to get hold of my Twitter password when I tried one of those “get follower” services that someone else recommended. Fortunately, all the thief did was spam messages about their “service,” but there were a few hours there where it appeared I was guilty of spamming. I lost quite a few followers and had to deal with a barrage of questions from my friends on other networks.

Twitter management is aware of the importance of strong passwords and will not allow you to set up an account with any of 370 commonly used weak ones. The list is right there in the source code of the sign up page if you care to look (view source and search for “banned passwords”); you can also see them in The Washington Post article “370 Passwords You Shouldn’t (And Can’t) Use On Twitter.” If you’re guilty of using any of those, change them immediately.

Here are some good policies to put in place:

  • Use strong passwords on all Web 2.0 sites
  • Do not use the same password more than once anywhere on the Web.
  • Particularly on Twitter, do not input your password into any third party site you are not absolutely sure is trustworthy
  • Periodically change your password

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • RichardWang
    While everyone is well advised to avoid these passwords there are plenty more poor passwords out there. In fact the list of bad passwords Twitter is using only has 29 in common with the list of 246 that the Conficker worm used so successfully a year ago according to a comparison I ran for the [A href=""]SophosLabs blog[/A]. Twitter users would be well advised to use the rating system that Twitter provide and ensure that they have passwords rated as 'very strong'. Don't settle for 'good', some of the passwords on Conficker's list are rated as 'good' by Twitter.
    0 pointsBadges:
  • Ken Harthun
    Excellent points, Richard. Thanks for you input. As I have often advised, everyone should come up with a personal algorithm that allows them to generate very strong passwords that are easily remembered...Ken
    2,300 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: