I think it’s really interesting how the Twitter attack wasn’t so much the hack of one system, but of the entire technology ecosystem. The article calls out
The list of services affected either directly, or indirectly, are some of the most popular web applications and services in use today – Gmail, Google Apps, GoDaddy, MobileMe, AT&T, Amazon, Hotmail, Paypal and iTunes. Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem.
So what do we take away from this? I think the article sums it up nicely:
So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). And just in general be paranoid about data security. You may be happy you were.
This is a really good reason to keep those passwords secure and distinct. Use a random password generator, and don’t reuse the password across services. I wonder what, if any, implications this has for password managers like RoboForm or Keepass, which make one’s passwords all centrally located.
These conclusions also seem to advocate a stronger system of two-factor authentication in online services. E*Trade is the only company I know of that makes use of RSA keys as an additional layer of security. Bank of America offers a service called SafePass that sends a text message to your cell phone to add a layer of security similar to using an RSA key.
I’ve never used either of these services so I don’t know exactly how they work. My concern is that if these security features are “optional” it makes them easy to bypass, and provides only a false sense of security for the end user. And that’s definitely not a good thing.