Trump Twitter Hack Shows Password Policies Yet Again Lacking

Victor Gevers must have a 197-point IQ and a better-than-15% guess rate on President Trump’s password because, guess what? Gevers claims he was able to access Trump’s Twitter account by accurately guessing Trump’s highly complex and long password: “maga2020!”i

At least he used the exclamation point.

By now you’ve surely read the news, and given that we’re less than two weeks out from the U.S. Presidential election, you surely have some opinion on Trump. And not just if you’re a U.S. citizen.

But this isn’t a political post. We at TAG Cyber have opinions, but we’ll only publicly share the ones about cyber security.

Let me iterate the problems we all know so well:

  • — The account was “protected” by an easy-to-guess, insufficiently long (sorry, NIST), human-devised password
  • — The account did not have two- or multi-factor authentication turned on

Now, I bet you’re going to expect me to chastise the President.

Nope, not going to happen here.

Instead, let’s look at the platform provider: Twitter, which has been compromised numerous times over the years, promised to implement stricter access controls for political figures after last month’s breach. Why only political figures deserve better security is anyone’s guess.

But the promise apparently didn’t turn into action. Although Twitter is denying claims of a breach, stating there is “no evidence,” I think most people’s money is on the validity of Gevers’ claim.

Even if this is a security researcher seeking the limelight, the facts are this: I was able to just minutes ago log into Twitter and change my password to “asdfgh2020!” (Yes, I changed it again—before finishing this sentence—to an auto-generated, excessively long, new password for which a second factor of authentication is required.) I am not a political figure. I am not even famous among industry analysts. I’m barely even recognizable in the security industry. But, come on, Twitter. This shouldn’t be allowed and you know it.

Also, I use 2FA because everyone should. All cyber security guidance says the same thing—I haven’t seen much dissent among our community. But, as anyone using Twitter knows, 2FA is a “feature,” not a requirement. Maybe Twitter isn’t your bank account, your mortage account, or your health care provider, but if companies expect to secure customers’/consumers’ accounts, 2FA/MFA must be turned on by default. If a user wants to turn off 2FA/MFA, they should rbe equired to acknowledge they are reducing the security of their account(s).

Also...forced long passwords for the win.

I know, I know: Users don’t like long passwords. Users don’t like friction. The business wants convenience. Twitter and others like it want more users so that they can sell our data. I get it. But the reality is, if businesses expect to reduce breaches, especially stupid ones like this where the password is way too obvious and there isn’t an addition authentication factor, they’re going to have to step up their game. Maybe Twitter doesn’t care. They won’t lose users over this.

What if your company is a bank, or a mortgage lender, or a health care company, though? Will you lose customers? Revenue? Damage your brand? Will you negatively impact people’s lives? This is a moral and ethical question just as much as it is a business and security question.

The least companies can do for their account holders is require strong passwords and 2FA/MFA by default. We know there are other, potentially better, options than username/password, but this should be the minimum viable requirement.


i Twitter cries foul.