Industry News

Post-hack, Twitch users told to reset passwords… but they don’t have to make them too long

Video game streaming service Twitch posted a security alert yesterday, announcing that hackers had compromised its systems and users’ personal details may have been exposed.

An email sent out to some users, described the type of information that online criminals may have been able to access:


…there may have been unauthorized access to some of your Twitch user account information, including possibly your Twitch username and associated email address, your password, the last IP address you logged in from, limited credit card information (card type, truncated card number and expiration date), and any of the following if you provided it to us: first and last name, phone number, address, and date of birth.

Some versions of the email reportedly claimed that passwords “could have been captured in clear text by malicious code when you logged into our site on March 3.”

Twitch has sensibly reset accounts – requiring users to choose a new password, and reconnect their accounts with Twitter and YouTube.

It should go without saying that if your password has potentially been breached on a site like Twitch, you better make sure that you are not using the same password anywhere else on the internet.

However, it seems things did not run entirely smoothly with Twitch users complaining that they wasted hours waiting for password reset links to be emailed to them (presumably a lot of folks may have been trying at the same time), or that the site was demanding that their password had to be at least 20 characters in length.


That gave Twitch a dilemma. Should they help their users stay secure, or should they help them stay happy?

Someone at Twitch clearly felt that it was more important that their customers remained happy (with shorter, potentially weaker, passwords) than safer – and an update was swiftly added to the original advisory saying that the new password requirements had been watered down.


We’ve heard your concerns about overly-restrictive password requirements, and have reduced them to an 8 character minimum. Best practices regarding password security remain true.

Yes, you heard that right folks. Following a hack, most companies strengthen their security – but in Twitch’s case they actually watered it down to appease grumbling users who haven’t yet learned that maybe life would be easier and safer if they simply used a password manager.

After all, a password manager remembers your passwords for you – and doesn’t care how long or complex they are.

In fairness, Twitch’s advisory does offer password managers as one of its suggestions for better online security – but part of me really wishes it had stuck to its guns and demanded lengthy passwords to be used, as that would surely have encouraged a least a few more users to try out a password management utility.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.