Twitch responds to cyber breach by making passwords shorter
Gameplay streaming service makes ‘nonsensical’ decision to reduce minimum password length
Amazon-owned Twitch, a video streaming service, has responded to hackers harvesting user details by reducing its minimum length for passwords.
The firm, which allows gamers to stream footage of them playing videogames, yesterday warned customers that cyber criminals may have compromised their accounts, leaving their personal details up for grabs.
Vulnerable data allegedly includes email addresses, passwords, dates of birth and address and contact information.
Twitch expired all account holders' passwords as a security measure, meaning users must create a new password next time they log in.
However, users took to social networks to complain that the 20-character minimum length for Twitch passwords was too high, and Twitch folded under the pressure, cutting the minimum character limit to eight.
A blog post read: "For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube.
"We've heard your concerns about overly-restrictive password requirements, and have reduced them to an eight-character minimum. Best practices regarding password security remain true."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
While the blog recommends people either create a string of random letters and numbers or use a random password generator, the reduced character limit means people can create less secure passwords.
Mark James, security specialist at antivirus firm ESET, criticised Twitch for the decision, saying the user complaints would comprise a small percentage of the overall user base.
"In a time when security should be more important than convenience it makes no sense to shorten the requirement for password length," he said.
"We should understand by now that longer passwords are a necessity and not a problem if we want to protect our identities and hard earned cash."
The news comes after Yahoo introduced a random password generator service for its email customers, to make the service more secure.
Password' and 123456' proved to be the most popular passwords in 2014, security firm SplashData's latest annual survey showed.
There's few details about who was behind the Twitch hack, but cyber criminal group Lizard Squad have been responsible for a wave of attacks on gaming sites, with targets including Xbox.
ESET's expert, James, said: "Gaming sites have always been a lucrative target. Not only do they represent gamers that may use the same login and passwords as similar sites but they also enable the possibility of other electronic goods to be stolen and sold elsewhere, in game items, in game gold."
He praised Twitch's move to expire passwords and unlink Twitch accounts from other platforms, but encouraged users to make their passwords more secure by mixing upper and lower case letters with numbers and unusual symbols.
Picture courtesy of Takuma Kimura