Twitch, the live video community for gamers, announced yesterday that ‘there may have been unauthorized access to some Twitch user account information.’ They had been hacked. That’s never good, and because the hackers may have had access to usernames and passwords, Twitch took the very sensible step of cancelling passwords and is forcing their users to create new passwords the next time they log in.

Twitch also did a nice job of recommending that their users change passwords on any other accounts where they might share their old Twitch password. [Don’t use the same password on multiple sites!]

Twitch claims to have more than 100 million visitors a month, so it’s going to take some effort to make sure everything goes smoothly.

Things started to go wonky when users began changing their passwords. As Graham Cluley at HotforSecurity reports, users started reporting that they had to wait a very long time for their passwords to be reset. Frustration grew with all that waiting and users started to complain that new requirements for Twitch included a minimum 20 characters. Ouch! In response to the ‘concerns about overly-restrictive password requirements,’ Twitch backpedaled to 8 characters. In effect, the company that was just hacked caved to user complaints about stronger passwords. That’s just weird.

A couple of points:

  • if you have a Twitch account, make sure your new password is strong! The best way to have a strong password is to use a password manager, that way it can be ‘long and strong’ and you don’t have to worry about forgetting it.
  • don’t share passwords on multiple accounts. Not even a super strong password! Hacks happen. You’re protecting yourself by having a different password on each of your password-protected accounts. That way, if one of your accounts is hacked, your risk will be limited to that account. That’s another benefit of using a password manager.

Twitch sent a confusing message about password security that might have been avoided if they had thought it through first. Decreasing a security requirement because of customer feedback doesn’t seem the best way to create a security policy. That’s not to say that 20 characters is ideal, but by dropping it to 8, they were telling their users that length isn’t that important, and that the original requirement of 20 characters was just a random number. At the least, this approach doesn’t inspire confidence.