When you type in “password” at the Twitter log-in screen, what Twitter actually gets is that soup of letters and numbers; it compares it with the soup it cooked up and lets you in only if they match. Combined with other mechanisms, hashing makes it extremely difficult to reverse-engineer a password from its hash.
The idea is that your actual password isn’t ever supposed to be saved on Twitter’s servers — but that’s what happened in this case, the company said.
“We are very sorry this happened,” it said. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
Security specialists advise everyone to follow a few simple rules to protect their passwords:
- Use hard-to-guess passwords. That wouldn’t have made a difference in the Twitter case, but not every online service uses hashing, and some that do still rely on older, easier-to-decode versions.
- Never reuse passwords. If a bad guy manages to get one of your passwords and you’re using it on multiple sites, he has the key to your data on all of them.
- Use two-factor authentication, or 2fa, a process that requires you get an extra one-time-only code through a text message or an app on your phone every time you log in. Google offers 2fa service, which more companies and sites are adopting as an added security option.
And remember: When you change your Twitter password, be sure to update it at any other site linked to your Twitter account. You can find your list of Twitter-linked accounts here.