IT security and control firm Sophos is calling on Twitter to
enforce the use of strong passwords by its members following the
recent publication of details on how a hacker managed to gain
access to Twitter's internal systems earlier this week.
According to reports, the teenage hacker, who uses the online
handle GMZ, claims he gained entry to the micro-blogging site's
administrative control panel by using a dictionary password guesser
at a Twitter staffer's account. Unfortunately for Twitter and its
hacked users, the staff member had chosen the dictionary word
"happiness".
GMZ claims that he did not use other hacked accounts himself,
but posted a message on a hacking forum offering access to any
Twitter account by request.
"What lessons can be learnt from this incident? Firstly, you
should never use an easy-to-guess password to secure your online
website accounts. Using a dictionary word like "happiness" shows a
complete lack of knowledge about how to use computers safely,"
explained Graham
Cluley, senior technology consultant at Sophos. "Twitter could
help avoid this problem by insisting that passwords are not known
dictionary words, or forcing the use of numbers and other
characters - such as underlines, exclamation marks and percentages
- in users' chosen passwords."
"Secondly, Twitter and other websites should be able to tell
when hackers are trying to brute-force their way past a password.
GMZ says he ran his automatic password guessing program overnight
before it finally broke its way in. There's no reason why Twitter
couldn't, say, notice that someone has entered the wrong password
three times in a row, and then insist they wait 15 minutes before
trying to log in again," continued Cluley.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.