On Tuesday night, after a long day of dealing with recent phishing attacks, Twitter
posted a long message on the Twitter Status Blog
explaining a possible source of the attacks and detailing how users can defend themselves against such vulnerabilities.
The idea is simple.
Somebody created some torrent sites a few years ago that require a login and password which, after the original creator had sold the sites, were still accessible via security exploits. Following the reasonable belief that people use the same account name and passwords for numerous sites, this person was then able to gain access to users' Twitter accounts by using the logins and passwords stolen from the torrent sites' backdoors.
As always, Twitter urged its users to change their passwords in order to ensure security of their accounts. But something else about this whole situation apparently bothered Twitter a lot:
"The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites."
"We strongly suggest that you use different passwords for each service you sign up for."
Now I don't know about you, but I log on to at least ten services every single day: GMail, Facebook, Last.fm, Flickr, Twitter, Vator.tv, my college campus network, and multiple blogs. Those are just the essentials. While I certainly take advantage of a few different passwords, Twitter is living in a dream world if it thinks people are about take up its advice to remember a different password for every single new service. I have trouble enough already with my few accounts.
Maybe the solution to all this is having one secure system used to access every site, like Facebook Connect. Or, perhaps even better, something that makes passwords obsolete.
Until then, though, watch out for those torrent sites with required login.