Thoughts on Systems

Emil Sit

Jan 7, 2009 - 1 minute read - Technology Thoughts password security twitter

Twitter had no rate limit for failed authentication

Reading the Wired writeup on the Twitter password hack, I’m incredulous to read that there was no rate limiting on failed authentication. Given Twitter’s stringent rate limiting for API requests, this seems surprising. Not to mention that online password attacks are practically older than time. Fortunately,

As for addressing the security issues that allowed the breach, [Twitter co-founder Biz Stone] wrote in a follow-up e-mail that the company is doing “a full security review on all access points to Twitter. More immediately, we’re strengthening the security surrounding sign-in. We’re also further restricting access to the support tools for added security.”

Thank goodness. I feel safer already.