Normally the advice given to people why suspect that their password has been compromised is to change the password. Simple enough, right? By doing that the bad guys no longer have access to your account. But a conversation I had this morning on Twitter made it clear to me that people don't understand that there are exceptions ... and one such exception being Twitter itself.
Let me explain. I have a Twitter account (which I hope you all follow!). That account is password protected. I have several applications across a range of devices that connect to that account (plus a few external services that send me email notifications of new messages and tweets I might have missed). To authorize those apps to have access to my account I have to give them my password. They only need this once and then they're authorized to access the account.
OK ... on to the clever/dumb part. If I log into my Twitter account and change my password, I don't have to reauthorize any of the apps that have been previously authorized. They just carry on working as normal.
Why is this both clever and dumb? Well, it's clever because it allows me to be security conscious and change my password regularly and not have to input the new password into every app. That's a massive time saver! But it's dumb because if my Twitter account somehow gets compromised (say in order to spam my followers), then changing my password won't fix the problem if the spammer's been clever enough to authorize a few apps of their own before I change my password. They'll continue being able to spam my followers no matter how many times I change my password.
Convenience almost always trades off against security.
So how do you kick the bad guys off your account?
Here's how ... navigate to the Twitter website and click on the drop-down box in the top-right of the screen and select Settings:
Now click on the Applications tab ... from there you can see what applications have access to your account. Revoke Access from anything that you're not familiar with:
Twitter should make it clearer to users who are changing their password that this action alone might not be enough to protect them after their account has been compromised and point them towards the list of applications that have access to their account. Twitter could also improve the applications list by showing users the IP address of even the location from where the application was initially authorized.