Renowned tech journalist Christopher Mims announced today that the password to his highly desirable four-letter Twitter account (that's my humblebrag for the year, for those of you keeping track) is the remarkably simple 'christophermims'. (I'm assuming it's been changed for this exercise, otherwise I'd have to go on a long and storied rant about generating passwords) In his article, he praises 2FA, or two-factor authentication, as the future - which I agree is. This is a system whereby you need a second authentication method to log in, the username and password combination being the first one. In this case, and most cases, the second one is a code sent to your mobile phone. In the future, this might be a universal dongle, a bit like what some banks use for online banking, but that works on all websites.

We are not quite there yet - it is the future, not the present - and Christopher may yet regret handing out his password.

What happens when we log in to Twitter with his credentials?

Phone number

Well, that's not good. Now we have his phone number. I'm not a social engineer, or based in the US, but that sort of information seems valuable in of itself. Also, Twitter have helpfully also told us they have sent a six digit number to his phone, and that he should type it in to gain full access to his account. There are only a million six digit numbers, and each login gets five attempts at guessing that number before being logged out. Of course, you can then login again, and get another five bites at the cherry. I did this a couple of times, then got bored.

So, statistically (ignoring what happens behind the scenes with multiple attempts at 2FA taking place.), only 100000 sufficiently curious people need to log in with the password and someone will randomly gain access to his account. For reference, the Wall Street Journal has nearly 2.5 million subscribers, let alone all the other people that will be reading this story as it does the rounds online.

I'm not hopeful for @mims.


comments powered by Disqus