{"id":21434,"date":"2018-05-04T14:51:07","date_gmt":"2018-05-04T18:51:07","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=21434"},"modified":"2018-05-04T14:51:07","modified_gmt":"2018-05-04T18:51:07","slug":"twitter-stored-passwords-in-log-file","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/05\/04\/twitter-stored-passwords-in-log-file\/","title":{"rendered":"Twitter Stored Passwords in Log File"},"content":{"rendered":"

Twitter<\/a> (Hacker News<\/a>, MacRumors<\/a>):<\/p>\n

\n

Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.<\/p>\n<\/blockquote>\n\n

Nick Heer<\/a>:<\/p>\n

\n

The euphemistic and misleading headline upsets me. What’s even more worrying is Agrawal’s reaction in a tweet[…]<\/p>\n<\/blockquote>\n\n

CTO Parag Agrawal<\/a>:<\/p>\n

\n

We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.<\/p>\n<\/blockquote>\n\n

Roustem Karimov<\/a>:<\/p>\n

\n

This is weird, @Twitter. Shouldn’t you be hashing the passwords on the client side, BEFORE sending them to the server?<\/p>\n<\/blockquote>\n\n

Mark Hughes<\/a>:<\/p>\n

\n

So first, and most importantly, never reuse passwords, no matter how trivial. Eventually any company will screw up or be hacked, and your password exposed, and then someone can try it on every other site.<\/p>\n<\/blockquote>\n\n

Rick Fillion<\/a>:<\/p>\n

\n

It took us a while to find what we needed for this layer. (Apparently the marketing department of augmented password-authenticated key agreement protocols is underfunded.) But we eventually found SRP, which ticked all our boxes. SRP is a handshake protocol that makes multiple requests and responses between the client and the server. Now, that may not sound very interesting – and I’m not one to show excitement easily – but SRP is a hell of a layer. With SRP we can:<\/p>\n