“There have been several recent incidents of high-profile news and media Twitter handles being compromised. We believe that these attacks will continue, and that news and media organizations will continue to be high value targets to hackers,” said Twitter in a memo obtained by BuzzFeed. “These incidents appear to be spear phishing attacks that target your corporate email. Promoting individual awareness of these attacks within your organization and following the security guidelines below is vital to preventing abuse of your Twitter accounts.”

As you may remember, the Associated Press’ Twitter account was hacked last week, and it sent out a false tweet claiming that there had been an explosion at the White House and that President Obama was injured. This tweet, though only visible for minutes before the AP took down the account, sent the stock market into a dive. Earlier this week, The Guardian also fell victim to a hack.

Twitter’s warning to news organizations suggests many of the things you would expect: change your passwords, make them strong, and keep your email accounts secure, since Twitter uses email to verify. Twitter also asks hack victims to contact them immediately so they can work on finding the problem as soon as possible.

But there is a pretty strange and severe request from Twitter: make sure you have a single computer that’s just for Twitter. Don’t do anything else on it. What?

“Designate one computer to use for Twitter. This helps keep your Twitter password from being spread around. Don’t use this computer to read email or surf the web, to reduce the chances of malware infection. Minimize the number of people that have access. Even if you use a third-party platform to avoid sharing the actual Twitter account password, each of these people is a possible avenue for phishing or other compromise.”

Interesting. Twitter is obviously taking this very seriously, and thinks you should too. If you operate an account that you think would be a high target of hackers, it’s time to up the concern a little bit.

Recent reports indicated that Twitter was working on two-step verification (finally) to make it a bit harder for attackers to compromise accounts. Although that wouldn’t totally fix the problem, it would be a start. It’s interesting that although we heard that this two-factor verification is on the horizon, Twitter is suggesting in this letter that organizations seek out help from a third-party two-step verification provider.

Although CISPA as a whole saw bipartisan support, one last-minute amendement that looked to curtail a worrisome practice by employers was shot down on party lines.

Colorado Democrat Ed Perlmutter attempted to tack on a provision to CISPA that would make it illegal for employers to require prospective employees to hand over their social media passwords as a condition of acquiring or keeping a job.

Has an employer even demanded one of your social media passwords as a condition of being hired or keeping your job? What was your reaction? Let us know in the comments.

The proposal was voted down 224-189, with Republicans in the majority.

“People have an expectation of privacy when using social media like Facebook and Twitter. They have an expectation that their right to free speech and religion will be respected when they use social media outlets. No American should have to provide their confidential personal passwords as a condition of employment. Both users of social media and those who correspond share the expectation of privacy in their personal communications. Employers essentially can act as imposters and assume the identity of an employee and continually access, monitor and even manipulate an employee’s personal social activities and opinions. That’s simply a step too far,” said Perlmutter.

This isn’t the first time that Perlmutter has introduced this sort of legislation. Last year, the same employee password protection language was rejected in the House.

Last year, the practice of employers demanding the Facebook passwords of prospective employees became a hot topic. Both state legislatures and the U.S. Congress introduced measures to counteract the rising trend. One particular bill, the Password Protection Act of 2012, was introduced in both the House and the Senate, but went nowhere.

That bill was introduced by Democratic Senator Richard Blumenthal. Before the bill was presented, back in May of 2012, he, along with Senator Chuck Schumer (D-NY) sent a letter to both the Department of Justice and the U.S. Equal Employment Opportunity Commission asking them to “launch a federal investigation into a disturbing new trend.”

Soon after that letter was sent, a motion called “Mind Your Own Business on Passwords” failed in Congress. It would have made the employee password issue one monitored by the Federal Communication Commission. They would have had the right to declare the practice illegal.

So, the Password Protection Act of 2012 moved forward. The language made it a crime that any employer “for the purposes of employing, promoting, or terminating employment, compels or coerces any person to authorize access, such as by providing a password or similar information through which a computer may be accessed.”

But it died, and has been referred back to committee.

The Password Protection Act of 2012 isn’t the only federal bill proposed to deal with the issue. Say hello to SNOPA, or the Social Networking Online Protection Act. It aims to do what the PPA tried to do, but with even clearer languge:

To prohibit employers and certain other entities from requiring or requesting that employees and certain other individuals provide a user name, password, or other means for accessing a personal account on any social networking website.

It’s been introduced, and referred to committee. No movement yet.

On the flip side, some states have had success in passing bans on the practice. First, the state of Maryland enacted a law banning password snooping. And this year, laws in both California and Illinois went into effect.

“It’s not déjà vu — this is the same amendment I introduced twice last year, so people have had plenty of time to study and discuss it. It has bipartisan support. It wouldn’t kill the underlying cyber-security bill; it wouldn’t send it back to committee. It merely safeguards an individuals’ personal privacy as they use their own personal social media accounts,” said Perlmutter of his CISPA add-on.

It’s important to note that Perlmutter did in fact vote yes on CISPA.

But despite those claims, the provision was crushed. If the past year is any indication, password protection legislation must be tackled at the state level, as it’s the only place that its been able to see any sort of success.

Do you think that we need a federal law banning the practice of password snooping by employers? Do you think that it’s better left to the states? Or, do you see no reason for any such legislation on any level? Let us know in the comments.

The case involves Jeffrey Feldman, a software engineer with a degree in computer science from University of Wisconsin-Madison. Suspected of possessing child pornography, FBI agents raided his home and seized 16 storage devices, 9 of which were encrypted.

The FBI filed an order to compel Feldman to decrypt his devices, and order which has been shot down by Judge William Callahan.

“This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with “reasonably particularity” – namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination,” said Judge William E. Callahan Jr.

The Judge concedes that the state knows the encrypted devices contain data, and that they already know the names of the files and that they probably exist on said devices. He also concedes that the state has shown that Feldman is surely capable of decrypting the devices.

But the following question remains: Is it reasonably clear, in the absence of compelled decryption, that Feldman actually has access to and control over the encrypted storage devices and, therefore, the files contained therein? To be sure, the storage devices were all found in Feldman’s residence, where he has admittedly lived alone for the past 15 years. In addition, the unencrypted Dell computer, which showed connections to the encrypted storage devices, has a login screen with only one username, “Jeff.” Nevertheless, unlike in Boucher and Fricosu, here, Feldman has not admitted access and control.

It’s clear that the Judge thinks that this is a very tricky case, and his decision toes the line.

In the end, however, the conclusion is that the state simply doesn’t know enough already about the contents of the drives and the defendant’s ties to them to compel him to access them.

An attorney with the Electronic Frontier Foundation told Wired that “this isn’t just about child porn. It’s about anything on your computer that prosecutors or government officials may want.”

Don’t think that encrypting your data shields you from the long reach of the law, however. Not only is encryption less than 100% effective, but this is simply one ruling. In the past, we’ve seen courts compel decryption – for instance in the aforementioned Boucher case, where a man was forced to unlock his laptop after authorities suspected it contained child pornography.

Two-factor authentication (2FA), generically, is any approach to authentication that has multiple layers. Around the web (like with Google for instance), it is usually applied with a combination of a password and mobile alert. When a new device/location attempts to log on to a Google account, not only is a password required but so is a secondary authentication code sent to a user’s mobile device.

This way, an unauthorized user would not only have to obtain your password, but also your phone in order to access your account. It’s simply another layer of security, and one that companies like Google say “drastically reduces” the chances of a bad guy getting their hands on your personal info.

The Guardian points to a job posting on Twitter’s employment site. The post is for a full-time software engineer in the specialized area of product security. Among the duties of said position is to “design and develop user-facing security features, such as multifactor authentication and fraudulent login detection.”

As you may remember, Twitter made a pretty bad screw-up last November when they accidentally reset a bunch of passwords for accounts that hadn’t actually been compromised, following a hack that did see some accounts compromised.

Like any online service, Twitter accounts are vulnerable to being compromised and used for nefarious purposes – whether that be malicious spam messages or simply hijacking tweets in order to expose or embarrass.

In the past, Twitter has stated that they’ve “certainly explored two-factor authentication,” but to date the company has made no public declarations of intent. While this job posting is far from conclusive evidence that Twitter plans to implement 2FA, it does suggest that they are looking for personnel that could possibly draw up such a system.

At 12:01 a.m. on Monday morning, a new law went into effect banning employers from requesting Facebook passwords from potential or current employees. The law is in response to a growing, and rather disturbing, trend of employers demanding Facebook passwords as part of the employment process. The argument is that employers need to know everything about a potential employee, and that apparently now includes somebody’s personal life on social networks.

Of course, the new law doesn’t give you free reign to post whatever you like on social networks. The law only bans the practice of asking for passwords. Employers still have the right to dig through the Internet finding whatever they can on you and your habits. You might want to start hiding all of those embarrassing pictures of yourself at college parties. Public tweets and other online profiles are also fair game for the potential employer.

Still, these kind of laws should receive national attention. Not every state values privacy as much as the next, and a federal law banning the practice would be a small win for privacy in a year where individual privacy is being stamped out left and right. New York Rep. Eilot Engel introduced SNOPA last year to stop the practice, but the bill has not even made it past committee since April of last year so chances of passage are slim.

As of now, only California, Illinois and Michigan have laws on the books banning employers from asking for social network passwords. It could take a while for other states to come around to passing such bills if nothing is done on the federal level this year.

[h/t: Daily Tech]

Of course, users were a bit skeptical about the legitimacy of said emails. Although many users did report that their accounts had been compromised, some users had received the email without any outward sign of any disturbance on their accounts.

Now, Twitter has released a statement on their status page that suggests that they believe some accounts were hacked, but that they messed up to by resetting passwords of accounts not affected by the hack.

Here’s that full statement:

We’re committed to keeping Twitter a safe and open community. As part of that commitment, in instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users.

In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused.

So if you receive an email from Twitter asking you to chance your password, you should probably do it.

Today, we are more interconnected than ever before. Not only do we use the Internet to stay connected, informed, and involved, but we rely on it for all of our day-to-day needs. The nation’s critical infrastructure relies heavily on the Internet for everything from submitting taxes, to applying for student loans, to following traffic signals, to even powering our homes. Can you imagine our lives without the Internet?

Yet, for all of its advantages, increased connectivity brings increased risk of crime – thus making cybersecurity one of our country’s most important national security priorities.

Passwords continue to be a concern. This week, we looked at new data about some of the recent big password leaks, finding that the most common password on the Internet is password, followed by 123456 and 12345678. Suffice it to say, passwords aren’t being taken seriously enough.

Software developer Siber Systems has put out a set of simple password-related tips for consumers to consider:

1. Create passwords that are difficult for anyone to guess, including friends, family and hackers. Avoid passwords that relate on a personal level, instead use upper and lower case letters, random symbols, and do not use any word found in the dictionary. One trick is to choose the first letters of each word from a random phrase such as “I like to eat pineapple daily”, to get “iLtEPd”, with the addition of a symbol and number for added measure. Also change passwords every 30 days.

5. Utilize technology tools to make password management and selection easier.

Setting a strong password is the top recommendation from the Department of Homeland Security, when it comes to practicing cybersecurity. Other recommendations include: keeping your operating system, browser and other software optimized by installing updates, maintaining an open dialogue with family, friends and community about Internet safety, limiting the amount of personal info you post online and using privacy settings, and being cautious about what you receive or read online.

Remember all of those password leak stories you’ve seen in the last few months? How many? One? Two? Three? More? While most of those leaks fall on the shoulders of the network security of the companies involved, they still reveal a shocking truth: People are terrible when it comes to choosing a proper password. And new data culled from these various leaks confirms this.

It’s time for SplashData‘s annual list of the 25 most-common passwords on the internet. They say their list is “just in time for Halloween” – it’s that scary. And yeah, that fact that people are still this clueless on the incredible insecurity of their information is truly frightening.

The most common password, as revealed by the study, is “password.” That remains unchanged from last year. In fact, the two three most-common passwords are the same as they were last year – “123456″ and “12345678″ being the other two.

New entries on the top 25 list include “welcome,” “jesus,” “ninja,” “mustang,” and “password1.”

Check out the complete list below:

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)

“We’re hoping that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites,” said SplashData CEO Morgan Slain.

Well, it doesn’t seem to be working. We’ve known that people truly suck at picking passwords for some time, and it doesn’t seem to be changing. Want another example? Analysis of the aforementioned LinkedIn password leak showed that the top password for the leaked accounts was “link.”

Facepalm.

California was one of the states to quickly propose legislation barring the controversial practice, with two bills rising from the Senate and the Assembly. The first, AB 1844 proposed a ban on employers requiring a current of prospective employee to “disclose a user name or account password to access a personal social media account.” The second bill, SB 1349, sought to keep passwords safe in another realm – postsecondary education.

Now, both bills have been signed by Governor Jerry Brown. Passwords are on their way to being protected in California.

Here’s what Jerry Brown had to say about the legislation on Twitter:

Follow @JerryBrownGov

Jerry Brown
@JerryBrownGov

Today I signed two bills to prohibit universities and employers from demanding your social media passwords.

 Reply  ·  Retweet  ·  Favorite
19 hours ago via web · powered by @socialditto

Follow @JerryBrownGov

Jerry Brown
@JerryBrownGov

California pioneered the social media revolution. These laws protect Californians from unwarranted invasions of their social media accounts.

 Reply  ·  Retweet  ·  Favorite
19 hours ago via web · powered by @socialditto

While AB 1844 prohibits employers from demanding passwords related to social media account, it does not cover employer-issued electronic devices (like a work phone). “The bill further stipulates that nothing in its language is intended to infringe on employers’ existing rights and obligations to investigate workplace misconduct.”

SB 1349 reads the same way, with a stipulation that universities are still allowed to investigate “misconduct,” just not via demanding access to a student’s personal social media account.

Let’s conclude with a warning to other states from SB 1349 sponsor Leland Yee:

“[W]hat has happened is that there are just more and more states that are beginning to understand that the social media accounts so, in fact, have personal and private information, and if states do not somehow enact their own laws, that they are putting the residents in those states at risk. It’s extremely important that individual states respond to this emerging problem.”

Blizzard’s Mike Morhaime announced late last night that Blizzard and it’s Battle.net servers were hacked. Thankfully, no financial information seems to have been stolen in the attack. The hackers did manage to make it out with some info that might lead to compromised accounts.

Morhaime says that the hackers were able to extract email addresses for global Battle.net users. Outside of the email addresses, it seems that North American players were specifically targeted as their security question answers, mobile authenticators and cryptographically scrambled passwords were also taken. Morhaime notes that the passwords are extremely tough to crack due to their encryption, but you should still change your password nonetheless.

As Blizzard works through this mess, they will be sending out notifications to players over the coming week to change their security questions. They will also update the mobile authenticator software so that it can’t be accessed by would be hackers.

As Morhaime suggested, you’re going to want to change your password. While the change of your account getting hacked is low, the chance is still there. It’s always better to be safe than be sorry over your account getting billed for purchases you didn’t make.

Like with all other hack attacks, Blizzard is now working with the authorities to find out who was behind it. They may never find out who did it, but we’ll keep a look out for any groups that claim responsibility.