Out of Twitter

Tuesday, July 28, 2009 at 23:30 | Posted in internet, web 2.0. | 2 Comments
Tags: ,

I appriciate that Twitter is concerned of my security but this is a bit too much of the good stuff. Locking me out of my account does not help me at all, neither does it prevent any unauthorised usage of my account. On the contrary, it makes things worse because as long as I have no access to my account, I am unable to make sure that nobody else has that access.

What happened was that I temporarily granted access to my account to a third party application. As soon as that app had done what it was supposed to, I cancelled the access and changed my Twitter password, just to be on the safe side. What I failed to observe was that when I changed my password in the web interface I had TweetDeck running all the time and I did not come to think that I needed to change the password there as well. Hence, TweetDeck kept trying to access my account using the old password and naturally failed.

Twitter apparently took this as an unauthorized attempt to crack my account. But rather than letting me update the password in TweetDeck they chose to lock me out in both TweetDeck and web interface. Security is fine but I wonder what the point in this action might be and how exactly is it going to increase my security.

Edit: Looks like I have my access back. I still honestly do not understand why it was necessary to keep me out for a couple of hours.

Advertisements

2 Comments »

RSS feed for comments on this post. TrackBack URI

  1. A common methof of hacking an account is a dictionary attack: simply trying every word in the dictionary as password. Twitter, who has been severely criticised for its lack of security in the past, has been victim of such attacks as well. A simple way to block such attacks is to limit the number of (failed) attempts when someone enters the wrong password to some number, lets say 10 attempts per hour. That is a reasonable security measure. They can make it more sophisticated and block access for one origin (application) only, or give a separate access option for a ‘change password’ procedure, but that would only give hackers more chances to circumvent the security system. They already provide two options: 1. wait a few hours, 2. enter a support request or email and wait a day for someone to address your problem.

  2. Got your point about dictionary attack. That could be fruitful on the attacker’s point of view under the condition that the password would be a single word in English. I know that millions of web users have passwords as week as that but millions of others do not.

    I’ll just paste here my 3 first tweets after I was granted access to my account:

    Regained access to my Twitter account after being blocked for a couple of hours.

    If a malicious party actually were attacking my @twitter account it would be in their best interest 2 have me paralyzed 4 a couple of hours.

    So if @twitter locks me out they could use those valuable hours to secure control over my account and I could do nothing about it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: