Look, I’m not going to get into whether you should be using Twitch or not, but the reality is many people do. I’ve been seeing increasing calls, particularly on Discord servers, to change your Twitch password, and on any site you use the same password on.

Those calls mean well I’m sure, but is it actually necessary? I’m going to assume that Twitch implements password hashing and salting correctly (though, with the source code leaked you could presumably just check), so realistically even though the authentication database was leaked, there would be no way for an attacker to get access to your real password, right? Isn’t this the exact situation password hashes are meant to protect against? I feel like the most we’d have to worry about is login tokens for apps and session cookies, which can be pretty easily mitigated from the server side by invalidating them all.

  • HMH
    link
    fedilink
    arrow-up
    6
    ·
    3 years ago

    This argumentation is fine if your password is strong, Twitch followed best practices concerning password hashing + salting AND the whole thing is ONLY a leak. But to me it looks like the attacker(s?) probably had full access to a lot of Twitch’s internal infrastructure, possibly for a prolonged time. That’s why I think it’s very much possible that password have been obtained in another way.

  • ThreeHopsAhead
    link
    fedilink
    arrow-up
    2
    ·
    3 years ago

    I’m going to assume that Twitch implements password hashing and salting correctly

    This is not a good idea. Many many sites including major companies have terrible security and don’t spend the slightest effort in protecting user data. They simply face no consequences over it. Countless data breaches show over and over again how bad sensitive information like passwords are protected. Many sites still use ridiculously weak hashing procedures like unsalted MD5 or even store passwords in plaintext. The way many sites handle passwords not only shows that their users’ security is of absolutely no priority to them but can often only be explained with enormous incompetence. Password guidelines are often so ridiculously bad to the point where it would be a lot easier to just do it right, yet someone explicitly programed nonsensical limitations for the passwords like lenght limits, limited character sets, the necessity to start with a letter, case insensitive passwords or whatever idiocy they can think of.

    Never trust a site to secure your data. They most likely won’t. Also don’t trust a companie’s report on a breach. Breaches are often kept secrete until there is no way to hide it anymore. But even then companies usually play it down and admit only to what they really cannot hide. The number and extent of known breaches is already disastrous, but there certainly is a lot of unknown breached data that makes it even worse.

    We have to assume the Twitch leak is worse than they admit. The attackers might have had access to much more than we know, perhaps they were able to intercept passwords in plaintext. We also have to assume Twitch did not properly secure the saved passwords. Acting otherwise would be foolish and insecure.

    Be better safe than sorry and just hit the password generate button in your password manager. If you used the same password on other sites those should be changed regardless.

    And of course if your password is too weak no hashing can protect it from being cracked.

  • lovehumanityx
    link
    fedilink
    arrow-up
    1
    ·
    3 years ago

    In my view I think its a good idea to change password and use one that you don’t use across any other website.

    • ⁠ ︎
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      3 years ago

      I prefer to randomly generate unique 16-64 character passwords (length depends on how stupid a website’s password restrictions are, some have small maximum lengths or other ridiculous requirements) then store those in an encrypted zip with a lengthy master password (that’s not written down anywhere or used anywhere else) and keep that zip on a couple USBs (always good to have redundant backups), and even then I don’t directly label what they’re used for, I have keywords that only I’d recognize that let me know what they’re used for.

  • m-p{3}
    link
    fedilink
    arrow-up
    1
    ·
    3 years ago

    I’d err on the side of caution and just generate a new password.

  • roastpotatothief
    link
    fedilink
    arrow-up
    1
    ·
    3 years ago

    probably because they know the hash and the salt so now they can brute force your password, especially if it’s an easy one.

    if you use something like lesspass.com then just increment the counter. no stress.